CVE-2019-9429 Hitachi Energy CVE debrief

Who should care

Administrators, application owners, and security teams responsible for Hitachi Energy Asset Suite / Asset Suite AnyWhere for Inventory (AWI), especially where affected Android endpoints are managed or exposed to local users. OT/ICS defenders should prioritize review on any systems that could allow local execution of the affected app.

Technical summary

The vulnerability is described as memory corruption in the profman component. If exploited successfully, it can cause an out-of-bounds write and result in unauthorized local privilege escalation. The supplied advisory metadata lists CVSS 3.1 vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H with a score of 7.8.

Defensive priority

High. The issue is locally exploitable and can lead to privilege escalation, so affected endpoints should be reviewed and mitigated quickly.

Recommended defensive actions

• Apply the vendor’s General Mitigation Factors/Workarounds referenced in the advisory.
• Identify whether Asset Suite AnyWhere for Inventory (AWI) Android mobile app versions 11.5 (awi_11.5_armv7) and earlier are installed in your environment.
• Restrict local access and enforce least privilege on devices that run the affected software.
• Track the vendor and CISA advisory pages for any updated remediation guidance.
• Include affected mobile endpoints in patch, configuration, and compliance verification processes.

Evidence notes

This debrief is based only on the supplied CSAF advisory metadata and linked official references. The source data explicitly states memory corruption in profman, an out-of-bounds write, and potential unauthorized local escalation of privileges. The advisory metadata also supplies the affected product scope, remediation category, and CVSS 3.1 vector; no KEV information is included in the supplied corpus.

Official resources