PatchSiren cyber security CVE debrief
CVE-2019-9262 Hitachi Energy CVE debrief
CVE-2019-9262 is a high-severity vulnerability affecting Hitachi Energy Asset Suite AnyWhere for Inventory (AWI) Android mobile app versions 11.5 (awi_11.5_armv7) and earlier, as described in the 2025 CISA advisory. The issue is in the MPEG4Extractor component of the media extractor and could allow an attacker to trigger an out-of-bounds write, which may lead to remote code execution. The supplied advisory data does not identify a KEV listing or a specific fixed version, so defenders should rely on the vendor/CISA mitigation guidance and general ICS hardening practices.
- Vendor
- Hitachi Energy
- Product
- Asset Suite AnyWhere for Inventory (AWI) Android mobile app versions 11.5 (awi_11.5_armv7) and earlier
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-04-29
- Original CVE updated
- 2025-04-29
- Advisory published
- 2025-04-29
- Advisory updated
- 2025-04-29
Who should care
Organizations using Hitachi Energy Asset Suite AnyWhere for Inventory (AWI) Android mobile app versions 11.5 or earlier, especially operators and administrators responsible for industrial or operational environments. Security teams should also review any mobile-device management, application deployment, and network exposure that could place the affected app within reach of untrusted content or users.
Technical summary
The advisory describes an out-of-bounds write in the MPEG4Extractor component of the media extractor. The CVSS vector (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) indicates network reachability, low attack complexity, no privileges required, and user interaction required. If successfully exploited, the flaw could result in remote code execution and impact confidentiality, integrity, and availability. The source material does not provide exploit conditions beyond the media processing path or any vendor-provided fixed build information.
Defensive priority
High
Recommended defensive actions
- Apply the vendor and CISA mitigation guidance identified as General Mitigation Factors/Workarounds for the affected product.
- Review the Hitachi Energy advisory and confirm whether your deployed Asset Suite AWI Android app version is 11.5 or earlier.
- Reduce exposure of affected mobile applications and the systems they connect to using ICS defense-in-depth and recommended practices.
- Use CISA ICS recommended practices to harden affected environments, including access control and segmentation where appropriate.
- Monitor vendor and CISA channels for any updated remediation guidance or fixed releases if you have not already done so.
Evidence notes
This debrief is based only on the supplied CISA CSAF source item, the vendor reference, and the official CVE/NVD links. The source text identifies the affected product as Hitachi Energy Asset Suite AnyWhere for Inventory (AWI) Android mobile app versions 11.5 (awi_11.5_armv7) and earlier, while the advisory title and product family reference Asset Suite / Asset Suite 9 series. No KEV entry, ransomware association, or specific fixed version is present in the provided data. The severity and attack characteristics are taken from the supplied CVSS vector and score.
Official resources
-
CVE-2019-9262 CVE record
CVE.org
-
CVE-2019-9262 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published the advisory for CVE-2019-9262 on 2025-04-29. The provided source data records an initial advisory revision on the same date and does not indicate KEV inclusion.