Hitachi Energy Asset Suite
Act Now9.8ICS-CERT ICSA-26-008-01Jan 8, 2026
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
Hitachi Energy Asset Suite versions 9.7 and earlier contain a Jasper Report deserialization vulnerability (CWE-502) that allows remote code execution. The vulnerability exists in the report processing engine and can be exploited without authentication by sending a malicious serialized object through the web interface.
What this means
What could happen
An attacker could execute arbitrary code on Asset Suite servers, allowing them to read sensitive power generation and distribution data, modify control system configurations, or disrupt energy operations.
Who's at risk
Energy utilities and generation facilities running Hitachi Energy Asset Suite for asset and power system management. Affects control system visibility, alarm systems, and operational databases used by operators and engineers.
How it could be exploited
An unauthenticated attacker with network access to the Asset Suite web interface can exploit a Jasper Report vulnerability (CWE-502 deserialization flaw) to upload and execute arbitrary code on the application server.
Prerequisites
- Network access to Asset Suite web interface (typically port 443 or 8080)
- No authentication required
- Asset Suite version 9.7 or earlier
remotely exploitableno authentication requiredlow complexityhigh CVSS (9.8)affects power generation/distribution visibility
Exploitability
Low exploit probability (EPSS 0.4%)
Affected products (1)
ProductAffected VersionsFix Status
Asset Suite≤ 9.79.8
Remediation & Mitigation
0/4
Do now
0/2WORKAROUNDRestrict loading of external custom reports to only trusted Jasper reports generated by system administrators
HARDENINGEnsure Asset Suite servers are not directly accessible from the internet
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXUpgrade Asset Suite to version 9.8 or later
Long-term hardening
0/1HARDENINGIsolate Asset Suite networks from business networks with firewall boundaries
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/168cf214-6aa3-4472-b759-fa39189d74e1