Hitachi Energy patches critical RCE flaw in Asset Suite
Take action: Make sure your Hitachi Asset Suite uses only predefined reports and users should not be allowed to upload untrudted reports. If possible, isolate Hitachi Asset Suite to be accessible from trusted networks only and limited number of users. Then plan an update to Asset Suite version 9.8.
Learn More
Hitachi Energy reports a critical flaw in its Asset Suite software, which utilities use to manage power plants and grids.
The vulnerability is tracked as CVE-2025-10492 (CVSS score 9.8) an insecure deserialization of untrusted data. The flaw is caused by a third-party tool called the Jaspersoft Library. This library helps the system create reports but contains a bug that lets attackers run their own code on the server.
When the software takes data from an outside source it turns it into a Java object without checking it first. Attackers can send a malicious data package that forces the system to execute commands, leading to a full takeover of the asset management platform.
This flaw affects Hitachi Energy Asset Suite versions 9.7 and prior
Hitachi Energy released Asset Suite version 9.8 to fix this hole. Administrators should update their systems as soon as possible. Organizations that cannot update right away should stop users from uploading their own custom reports and only allow reports that the system administrator has verified and generated.
