What vulnerabilities were reported in Hitachi Energy Asset Suite?

Hitachi Energy reported multiple vulnerabilities in its Asset Suite platform, including CVE-2025-2500 (CVSS 9.1) for plaintext password storage, CVE-2019-9262 (CVSS 8.8) for out-of-bounds write in MPEG4Extractor, CVE-2019-9429 (CVSS 7.8) for memory corruption in profman, CVE-2019-9256 (CVSS 7.8) for integer overflow in libmediaextractor, CVE-2019-9290 (CVSS 7.8) for invalid pointer reference in tzdata, and CVE-2025-1484 (CVSS 6.3) for cross-site scripting in media upload.

What is the most critical vulnerability in Hitachi Energy Asset Suite?

The most critical vulnerability is CVE-2025-2500 with a CVSS score of 9.1. This is a plaintext password storage vulnerability in SOAP web services that enables unauthorized access and expands attack windows by storing passwords without proper encryption.

Which Hitachi Energy products are affected by these vulnerabilities?

The vulnerabilities affect Asset Suite 9 Series versions 9.6.4.4 and 9.7, as well as Asset Suite AnyWhere for Inventory (AWI) Android Mobile App versions 11.5 and prior. Different products are affected by different combinations of the reported vulnerabilities.

What attacks are possible through these Hitachi Energy vulnerabilities?

These vulnerabilities could enable attackers to perform remote code execution, escalate privileges, steal sensitive data, or completely compromise critical energy infrastructure systems. Specific attack vectors include memory corruption, privilege escalation, unauthorized access through plaintext passwords, and cross-site scripting attacks.

Are patches available for the Hitachi Energy Asset Suite vulnerabilities?

Patch availability varies by vulnerability. For CVE-2025-1484 affecting Asset Suite version 9.6.4.4, Hitachi Energy recommends updating to version 9.6.4.5 when available. For CVE-2025-2500 affecting both versions 9.6.4.4 and 9.7, only general mitigation factors are currently available with no patch released yet.

What is CVE-2025-2500 and why is it critical?

CVE-2025-2500 is a critical vulnerability with CVSS score 9.1 that involves plaintext storage of passwords in SOAP web services. This vulnerability is critical because it enables unauthorized access to systems and significantly expands attack windows by storing sensitive authentication credentials without proper encryption.

Which vulnerabilities affect the AWI Android Mobile App?

The Asset Suite AnyWhere for Inventory (AWI) Android Mobile App versions 11.5 and prior are affected by four vulnerabilities: CVE-2019-9262 (out-of-bounds write in MPEG4Extractor), CVE-2019-9429 (memory corruption in profman), CVE-2019-9256 (integer overflow in libmediaextractor), and CVE-2019-9290 (invalid pointer reference in tzdata).

Advisory

Multiple vulnerabilities reported in Hitachi Energy Asset Suite, at least one critical

Q: What security recommendations did Hitachi Energy provide?

Hitachi Energy strongly advises organizations to avoid using process control systems for web browsing, instant messaging, or email communications. All portable computers and removable storage media should undergo thorough virus scanning before connecting to control systems. Additionally, proper password policies and processes should be enforced across all systems.

published: July 15, 2025

Take action: If you're using Hitachi Energy Asset Suite, make sure the systems are isolated from the internet and used only for the dedicated purpose (no web browsing, email, or instant messaging.). Then contact the vendor for patches.

Learn More

Hitachi Energy is reporting multiple vulnerabilities in its Asset Suite platform, including one critical severity flaw. The flaws could enable attackers to perform remote code execution, escalate privileges, steal sensitive data, or completely compromise critical energy infrastructure systems.

Vulnerability summary:

CVE-2025-2500 (CVSS score 9.1) - Plaintext Storage of Password. A critical vulnerability in SOAP web services that stores passwords in plaintext, enabling unauthorized access and expanding attack windows.
CVE-2019-9262 (CVSS score 8.8) - Out-of-bounds Write. A vulnerability in the MPEG4Extractor component that could trigger memory corruption, potentially leading to remote code execution.
CVE-2019-9429 (CVSS score 7.8) - Out-of-bounds Write. A memory corruption vulnerability in the profman component that could result in local privilege escalation.
CVE-2019-9256 (CVSS score 7.8) - Out-of-bounds Write. An integer overflow vulnerability in the libmediaextractor component that could enable remote code execution.
CVE-2019-9290 (CVSS score 7.8) - Release of Invalid Pointer or Reference: A vulnerability in the tzdata component caused by allocation-deallocation function mismatches, potentially leading to local privilege escalation.
CVE-2025-1484 (CVSS score 6.3) - Incomplete List of Disallowed Inputs. A cross-site scripting vulnerability in the media upload component that allows attackers to execute malicious JavaScript code within user browser sessions.

The security vulnerabilities impact the following Hitachi Energy products:

Asset Suite 9 Series:

Version 9.6.4.4 (affected by CVE-2025-1484, CVE-2025-2500)
Version 9.7 (affected by CVE-2025-2500)

Asset Suite AnyWhere for Inventory (AWI) Android Mobile App:

Versions 11.5 and prior (affected by CVE-2019-9262, CVE-2019-9429, CVE-2019-9256, CVE-2019-9290)

Hitachi Energy has provided the following mitigation guidance:

For CVE-2025-1484 affecting Asset Suite version 9.6.4.4, the company recommends updating to version 9.6.4.5 when available
CVE-2025-2500 affecting both Asset Suite versions 9.6.4.4 and 9.7, only general mitigation factors are currently available, no patch has been released yet.

Organizations are strongly advised to avoid using process control systems for web browsing, instant messaging, or email communications. All portable computers and removable storage media should undergo thorough virus scanning before connecting to control systems. Additionally, proper password policies and processes should be enforced across all systems.

Multiple vulnerabilities reported in Hitachi Energy Asset Suite, at least one critical

Read More
Critical authentication bypass flaw reported in Mitsubishi Electric …
Rockwell Automation ControlLogix 1756 devices are vulnerable to …
Critical flaw reported in end-of-life GeoVision devices, actively …
wolfSSL Patches Critical Certificate Forgery Vulnerability Affecting Billions …
Multiple vulnerabilities reportd in Optigo Networks Visual BACnet …