Hitachi Energy Ellipse

Plan PatchCVSS 9.8ICS-CERT ICSA-26-092-03Feb 24, 2026

Hitachi EnergyEnergy

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A vulnerability in the Jasper Reports component embedded in Hitachi Energy Ellipse allows remote code execution through malicious custom report files. The vulnerability exists because Ellipse allows end users to create and load arbitrary Jasper Reports without sufficient validation. Affected versions are Ellipse 9.0.50 and earlier. The vulnerability can be exploited to execute arbitrary commands on the Ellipse server, compromising the entire system and any connected infrastructure.

What this means

What could happen

An attacker with network access to Ellipse can execute arbitrary commands on the system through a vulnerable Jasper Reports component, potentially allowing them to compromise the entire reporting and data management infrastructure for your energy operations.

Who's at risk

Energy utilities and operators who use Hitachi Energy Ellipse for asset management, reporting, and data analytics. This affects organizations that allow end users to create or upload custom Jasper Reports to the system.

How it could be exploited

An attacker sends a malicious Jasper Report file to the Ellipse server through the report loading mechanism. The vulnerable Jasper Reports component processes the file and executes arbitrary code embedded in the report definition, giving the attacker command execution on the Ellipse host.

Prerequisites

Network access to Ellipse application port
Ability to upload or trigger loading of a custom Jasper Report file
Ellipse version 9.0.50 or earlier

remotely exploitableno authentication requiredlow complexitycritical severity (CVSS 9.8)affects energy sector infrastructure

Exploitability

Unlikely to be exploited — EPSS score 0.7%

Affected products (1)

ProductAffected VersionsFix Status

Ellipse≤ 9.0.50No fix yet

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDRestrict loading of external custom Jasper Reports to only reports generated by system administrators; disable end-user creation and loading of custom reports

HARDENINGImplement network access controls to restrict which systems and users can upload or load reports into Ellipse

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Ellipse to version 9.1.0 or later when available from Hitachi Energy

HARDENINGMonitor Ellipse report loading logs for suspicious or unexpected report uploads from non-administrative users

CVEs (1)

CVE-2025-10492

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/51b3c0c2-dc49-4565-8b08-899a0eecf5ac

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.