Hitachi Energy Asset Suite

Plan PatchCVSS 9.8ICS-CERT ICSA-26-008-01Jan 8, 2026

Hitachi EnergyEnergy

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Hitachi Energy Asset Suite versions 9.7 and earlier contain a vulnerability in the Jasper Report component that can be exploited for remote code execution (CWE-502). The vulnerability allows unauthenticated attackers to execute arbitrary commands on the Asset Suite server, potentially compromising energy asset management and operations. This affects all versions up to and including 9.7; version 9.8 and later contain the fix.

What this means

What could happen

An unauthenticated attacker on the network could exploit a flaw in the Jasper Report component to run arbitrary code on the Asset Suite server, potentially disrupting energy asset management and control operations.

Who's at risk

Energy utilities and operators managing Hitachi Energy Asset Suite for monitoring and controlling generation, transmission, or distribution assets. This affects any deployment of Asset Suite versions 9.7 and earlier that is accessible over a network.

How it could be exploited

An attacker with network access to the Asset Suite application can craft a malicious Jasper report that exploits the vulnerability (CWE-502, related to unsafe deserialization). If the server loads or processes the report, the attacker gains remote code execution on the Asset Suite host.

Prerequisites

Network access to the Asset Suite application port
Asset Suite version 9.7 or earlier
Ability to upload or inject a custom Jasper report, or application configured to load reports from untrusted sources

Remotely exploitableNo authentication requiredLow complexityHigh CVSS score (9.8)

Exploitability

Unlikely to be exploited — EPSS score 0.5%

Affected products (1)

ProductAffected VersionsFix Status

Asset Suite≤ 9.79.8

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDConfigure Asset Suite to load only trusted Jasper reports generated by system administrators; disable or restrict end-user custom report loading

HARDENINGRestrict network access to the Asset Suite application to authorized users and workstations only; deploy firewall rules to block inbound connections from untrusted networks

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Asset Suite to version 9.8 or later

Long-term hardening

0/1

HARDENINGIsolate the Asset Suite network segment from business networks; place the system behind a firewall and restrict remote access

CVEs (1)

CVE-2025-10492

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/168cf214-6aa3-4472-b759-fa39189d74e1

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.