Hitachi Energy SuprOS

Plan PatchCVSS 8.8ICS-CERT ICSA-26-043-09Feb 12, 2026

Hitachi EnergyEnergyTransportation

Attack path

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

Hitachi Energy SuprOS versions 9.2.1 and below and version 9.2.2.0 contain a vulnerability (CWE-1392) that allows an attacker with local access to exploit default or unmanaged credentials. Successful exploitation leads to full system compromise with impacts to confidentiality, integrity, and availability.

What this means

What could happen

An attacker with local access to a SuprOS system could gain unauthorized control by using default or unmanaged credentials, potentially allowing them to read sensitive data, modify system configurations, or shut down critical energy infrastructure operations.

Who's at risk

Energy and transportation operators using Hitachi Energy SuprOS control systems are affected. This includes power generation facilities, transmission/distribution control systems, and transportation infrastructure that rely on SuprOS for supervisory control and monitoring.

How it could be exploited

An attacker with local or physical access to a SuprOS system can exploit default or weak passwords on privileged accounts (such as root). Once authenticated, the attacker has full control of the system, including the ability to alter operational parameters, disable safety functions, or extract sensitive configuration data.

Prerequisites

Local or physical access to SuprOS system
Knowledge of or ability to discover default credentials (root account)
No multi-factor authentication enabled

Default credentialsNo authentication required for local accessLow complexity exploitationAffects critical infrastructureNo patch available for affected versions

Exploitability

Unlikely to be exploited — EPSS score 0.0%

Affected products (2)

2 EOL

ProductAffected VersionsFix Status

SuprOS 9.2.1 and below≤ 9.2.1No fix (EOL)

SuprOS 9.2.2.09.2.2.0No fix (EOL)

Remediation & Mitigation

0/6

Do now

0/3

HARDENINGChange the root password immediately on all SuprOS systems

HARDENINGRemove all unnecessary user accounts from SuprOS systems

HARDENINGReview and reset all default credentials according to Hitachi Energy Secure Deployment Guidelines chapter 4.3

Mitigations - no patch available

0/3

The following products have reached End of Life with no planned fix: SuprOS 9.2.1 and below, SuprOS 9.2.2.0. Apply the following compensating controls:

HARDENINGRestrict physical and local network access to SuprOS systems to authorized personnel only

HARDENINGIsolate SuprOS systems from business networks using a firewall and ensure they are not accessible from the internet

HARDENINGImplement strong authentication controls such as multi-factor authentication if SuprOS supports it

CVEs (1)

CVE-2025-7740

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/eabdb82e-562c-4861-b165-1bced3c7758b

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.