Ddos 
Hitachi Energy has issued a cybersecurity advisory warning of multiple vulnerabilities impacting its Asset Suite product—a widely used Enterprise Asset Management (EAM) solution in the power generation sector. The advisory, published on May 27, 2025, details seven vulnerabilities ranging from cross-site scripting (XSS) and plaintext password exposure to mobile app memory corruption that could lead to remote code execution or privilege escalation.
“If these vulnerabilities are successfully exploited by an attacker, it could have an impact on the confidentiality, integrity, or availability of the product,” the advisory stated.
CVE-2025-1484 – Cross-Site Scripting in Media Upload (CVSS 6.5)
This medium-severity vulnerability stems from an incomplete list of disallowed inputs in the media upload component of Asset Suite 9.6.4.4. If exploited, an attacker could execute JavaScript code in a user’s browser session, affecting confidentiality and integrity.
“An attacker can use this vulnerability to construct a request that will cause JavaScript code supplied by the attacker to execute within the user’s browser,” the advisory wrote.
CVE-2025-2500 – Plaintext Password Storage in SOAP Services (CVSS 9.1)
A high-severity flaw allows unauthorized access via plaintext password exposure in SOAP web services.
“An attacker could gain unauthorized access to the product and the time window of a possible password attack could be expanded,” the advisory explained.
CVE-2019-9262, CVE-2019-9429, CVE-2019-9256, CVE-2019-9290 – Mobile App Vulnerabilities
Multiple issues in Asset Suite Anywhere (AWI) Android mobile apps (version 11.5 and earlier) can lead to remote code execution, local privilege escalation, and memory corruption due to out-of-bounds writes and improper memory management.
- CVE-2019-9256 (CVSS 8.8): Out-of-bounds write in libmediaextractor
- CVE-2019-9429 (CVSS 7.8): Memory corruption in profman
- CVE-2019-9290 (CVSS 7.8): Invalid pointer release in tzdata
| CVE ID | Affected Versions | Recommended Actions |
|---|---|---|
| CVE-2025-1484 | Asset Suite 9.6.4.4 | Upgrade to 9.6.4.5 when available; apply mitigations |
| CVE-2025-2500 | Asset Suite 9.6.4.4, 9.7 | Apply general mitigations |
| CVE-2019 Series | AWI Android 11.5 and earlier | Apply general mitigations |
Hitachi Energy recommends:
- Strict firewall configurations
- Physical protection of control systems
- No internet connectivity or messaging apps on process control systems
- Virus scans of portable media before connecting to control environments
Hitachi Energy’s Asset Suite EAM is designed for utility and nuclear power operators, providing tools for maximizing asset ROI, increasing reliability, and streamlining work processes. At the time of publication, no known exploits of these vulnerabilities were reported.
Related Posts:
- Critical Flaws Exploited: Cisco, Windows, Hitachi, WhatsUp Gold at Risk
- GitHub admitted to record some Plaintext Passwords in Its Internal Logs
- Hitachi Vantara Patches Critical Resource Injection Flaw in Pentaho
- Ghostscript Flaw Leaks Plaintext Passwords in Encrypted PDFs
- Critical Authentication Bypass Flaw Found in Hitachi Infrastructure Analytics Advisor and Ops Center Analyzer
Donate