PatchSiren cyber security CVE debrief
CVE-2019-9290 Hitachi Energy CVE debrief
CVE-2019-9290 is a high-severity issue affecting Hitachi Energy’s Asset Suite-related Android mobile app deployment described in the advisory as Asset Suite AnyWhere for Inventory (AWI) Android mobile app versions 11.5 and earlier. The problem is a tzdata component mismatch between allocation and deallocation functions that can corrupt memory and may allow a local attacker to escalate privileges. CISA published the advisory on 2025-04-29 in ICSA-25-196-01; the supplied enrichment does not mark it as a KEV item.
- Vendor
- Hitachi Energy
- Product
- Asset Suite AnyWhere for Inventory (AWI) Android mobile app versions 11.5 (awi_11.5_armv7) and earlier
- CVSS
- HIGH 7.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-04-29
- Original CVE updated
- 2025-04-29
- Advisory published
- 2025-04-29
- Advisory updated
- 2025-04-29
Who should care
Administrators and security teams responsible for Hitachi Energy Asset Suite deployments, especially environments using the Asset Suite AnyWhere for Inventory (AWI) Android mobile app versions 11.5 and earlier. Industrial/OT defenders should also care because the advisory is published in a CISA ICS context and the impact is local privilege escalation on an affected endpoint.
Technical summary
The advisory describes a tzdata bug caused by a mismatch between allocation and deallocation functions. Under the supplied CVSS vector (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), an attacker with local, low-privilege access may be able to trigger memory corruption and elevate privileges on the affected system. The source metadata ties the affected product to the Asset Suite AnyWhere for Inventory (AWI) Android mobile app versions 11.5 and earlier, while the advisory title references Asset Suite 9 series; that scope should be validated against the vendor notice before remediation planning.
Defensive priority
High. The issue is local but can lead to full privilege escalation, and the affected software appears in an industrial/OT-adjacent product line. Prioritize inventorying exposure, applying vendor guidance, and restricting local access where the app is present.
Recommended defensive actions
- Confirm whether any systems run Asset Suite AnyWhere for Inventory (AWI) Android mobile app versions 11.5 (awi_11.5_armv7) or earlier.
- Apply the vendor’s general mitigation/workaround guidance listed in the advisory and track for any corrected release information.
- Review and limit who can install, access, or interact with the affected Android application on managed devices.
- Use least-privilege controls on endpoints that run the app to reduce the impact of local privilege escalation.
- Follow CISA ICS defensive guidance and the vendor advisory for compensating controls until remediation is complete.
Evidence notes
The supplied CISA CSAF advisory ICSA-25-196-01 and the vendor preview reference both describe a tzdata component vulnerability caused by a mismatch between allocation and deallocation functions that can lead to memory corruption and local escalation of privilege. The source metadata lists the affected product as Asset Suite AnyWhere for Inventory (AWI) Android mobile app versions 11.5 and earlier, and the CVSS vector is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. No KEV entry is provided in the supplied enrichment.
Official resources
-
CVE-2019-9290 CVE record
CVE.org
-
CVE-2019-9290 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA publicly published the advisory for this issue on 2025-04-29 (ICSA-25-196-01). The supplied enrichment indicates the CVE is not in KEV. This debrief intentionally omits exploit details and focuses on defensive response.