What vulnerabilities were reported in Hitachi Energy Asset Suite?

Hitachi Energy reported multiple vulnerabilities in its Asset Suite platform, including CVE-2025-2500 (CVSS 9.1) for plaintext password storage, CVE-2019-9262 (CVSS 8.8) for out-of-bounds write in MPEG4Extractor, CVE-2019-9429 (CVSS 7.8) for memory corruption in profman, CVE-2019-9256 (CVSS 7.8) for integer overflow in libmediaextractor, CVE-2019-9290 (CVSS 7.8) for invalid pointer reference in tzdata, and CVE-2025-1484 (CVSS 6.3) for cross-site scripting in media upload.

What is the most critical vulnerability in Hitachi Energy Asset Suite?

The most critical vulnerability is CVE-2025-2500 with a CVSS score of 9.1. This is a plaintext password storage vulnerability in SOAP web services that enables unauthorized access and expands attack windows by storing passwords without proper encryption.

Which Hitachi Energy products are affected by these vulnerabilities?

The vulnerabilities affect Asset Suite 9 Series versions 9.6.4.4 and 9.7, as well as Asset Suite AnyWhere for Inventory (AWI) Android Mobile App versions 11.5 and prior. Different products are affected by different combinations of the reported vulnerabilities.

What attacks are possible through these Hitachi Energy vulnerabilities?

These vulnerabilities could enable attackers to perform remote code execution, escalate privileges, steal sensitive data, or completely compromise critical energy infrastructure systems. Specific attack vectors include memory corruption, privilege escalation, unauthorized access through plaintext passwords, and cross-site scripting attacks.

Are patches available for the Hitachi Energy Asset Suite vulnerabilities?

Patch availability varies by vulnerability. For CVE-2025-1484 affecting Asset Suite version 9.6.4.4, Hitachi Energy recommends updating to version 9.6.4.5 when available. For CVE-2025-2500 affecting both versions 9.6.4.4 and 9.7, only general mitigation factors are currently available with no patch released yet.

What is CVE-2025-2500 and why is it critical?

CVE-2025-2500 is a critical vulnerability with CVSS score 9.1 that involves plaintext storage of passwords in SOAP web services. This vulnerability is critical because it enables unauthorized access to systems and significantly expands attack windows by storing sensitive authentication credentials without proper encryption.

What security recommendations did Hitachi Energy provide?

Hitachi Energy strongly advises organizations to avoid using process control systems for web browsing, instant messaging, or email communications. All portable computers and removable storage media should undergo thorough virus scanning before connecting to control systems. Additionally, proper password policies and processes should be enforced across all systems.

Which vulnerabilities affect the AWI Android Mobile App?

The Asset Suite AnyWhere for Inventory (AWI) Android Mobile App versions 11.5 and prior are affected by four vulnerabilities: CVE-2019-9262 (out-of-bounds write in MPEG4Extractor), CVE-2019-9429 (memory corruption in profman), CVE-2019-9256 (integer overflow in libmediaextractor), and CVE-2019-9290 (invalid pointer reference in tzdata).

Advisory

Google releases urgent patch for Chrome, fixes actively exploited flaw

published: July 16, 2025

Take action: Once again - an urgent patch for Chrome - Google is patching an actively exploited flaw in Chrome, and exploitation is just a visit to a malicious site. DONT WAIT! Update all your Chrome and Chromium browsers (Edge, Opera, Brave, Vivaldi...). Updating the browser is easy, all your tabs reopen after the patch.

Learn More

Google has released an urgent security update for its Chrome web browser addressing six security vulnerabilities, including a critical zero-day flaw that is being actively exploited in the wild.

Vulnerability summary (high severity flaws)

CVE-2025-6558 (CVSS score 8.8) - Incorrect validation of untrusted input in ANGLE and GPU: A critical sandbox escape vulnerability that allows remote attackers to break out of Chrome's security boundaries through malicious web pages. Actively exploited in the wild.
CVE-2025-7656 (CVSS score 8.8) - Integer overflow in V8: A mathematical overflow vulnerability in Chrome's JavaScript engine that could lead to memory corruption and potential code execution.
CVE-2025-7657 (CVSS score 8.8) - Use after free in WebRTC (High severity): A memory management vulnerability in Chrome's real-time communication components that could enable remote code execution.

Google's Threat Analysis Group (TAG) discovered CVE-2025-6558 on June 23, 2025. The involvement of TAG, which specializes in tracking nation-state cyber activities, suggests potential targeting by advanced persistent threat groups or state-sponsored actors.

All versions of Google Chrome prior to 138.0.7204.157/.158 are vulnerable to these security flaws. Users should immediately update their browsers to the latest version to protect against active exploitation. The update process can be initiated by navigating to Chrome's menu (three dots) > Help > About Google Chrome, which will automatically check for and install available updates.

Google releases urgent patch for Chrome, fixes actively exploited flaw

Read More
Apple issues (second) emergency fix for vulnerabilities exploited …
Microsoft December 2024 update addresses 71 flaws, 16 …
State of (in)security - Week 27, 2023
Google researchers confirm critical flaw in Samsung S24, …
Google releases Chrome emergency update; patches four vulnerabilities, …