1. EXECUTIVE SUMMARY
- CVSS v4 9.1
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Hitachi Energy
- Equipment: Energy Asset Suite
- Vulnerabilities: Incomplete List of Disallowed Inputs, Plaintext Storage of a Password, Out-of-bounds Write, Release of Invalid Pointer or Reference
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to gain unauthorized access to the target equipment, perform remote code executions, or escalate privileges.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Hitachi Energy reports that the following products are affected:
- Asset Suite AnyWhere for Inventory (AWI) Android mobile app: Versions 11.5 and prior (CVE-2019-9262, CVE-2019-9429, CVE-2019-9256, CVE-2019-9290)
- Asset Suite 9 series: Version 9.6.4.4 (CVE-2025-1484, CVE-2025-2500)
- Asset Suite 9 series: Version 9.7 (CVE-2025-2500)
3.2 VULNERABILITY OVERVIEW
3.2.1 INCOMPLETE LIST OF DISALLOWED INPUTS CWE-184
A vulnerability exists in the media upload component of the Asset Suite versions listed above. If successfully exploited an attacker could impact the confidentiality or integrity of the system. An attacker can use this vulnerability to construct a request that will cause JavaScript code supplied by the attacker to execute within the user’s browser in the context of that user’s session with the application.
CVE-2025-1484 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L).
A CVSS v4 score has also been calculated for This article has been indexed from All CISA Advisories