PatchSiren cyber security CVE debrief
CVE-2022-29404 Hitachi Energy CVE debrief
CVE-2022-29404 is a Hitachi Energy Service Suite issue tied to Apache HTTP Server 2.4 vulnerabilities. According to the CISA CSAF advisory, affected versions are 9.8.1.3 and below, and the vendor remediation is to update to 9.8.1.4. The supplied CVSS vector shows a remotely reachable, no-authentication, no-user-interaction condition with high availability impact, so this is primarily a service-disruption risk for exposed deployments.
- Vendor
- Hitachi Energy
- Product
- Service Suite
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-02-25
- Original CVE updated
- 2025-02-25
- Advisory published
- 2025-02-25
- Advisory updated
- 2025-02-25
Who should care
Organizations running Hitachi Energy Service Suite version 9.8.1.3 or earlier, especially OT/ICS operators, service owners, and administrators responsible for patching and availability planning.
Technical summary
The source corpus links CVE-2022-29404 to Hitachi Energy Service Suite versions 9.8.1.3 and below in CISA advisory ICSA-25-133-01. The advisory description is generic—"Apache HTTP Server 2.4 vulnerabilities"—and does not enumerate the underlying Apache CVEs or exploitation details, so the safest interpretation is limited to the supplied impact data: CVSS 7.5 HIGH, network attack vector, low complexity, no privileges, no user interaction, and high availability impact only. The recommended fix in the advisory is to upgrade the product to version 9.8.1.4.
Defensive priority
High. This is remotely reachable with no auth or interaction required, and the cited impact is service availability loss in an industrial/operational product.
Recommended defensive actions
- Inventory Hitachi Energy Service Suite deployments and confirm whether any instance is at version 9.8.1.3 or below.
- Plan and apply the vendor update to version 9.8.1.4 as recommended in the advisory.
- Prioritize patching internet-facing or broadly reachable instances first, while maintaining OT/ICS change-control procedures.
- Review exposure of the Service Suite and its Apache HTTP Server component; restrict network access to only required management and application paths.
- Use CISA ICS recommended practices and defense-in-depth guidance to reduce the blast radius of any service interruption.
- Validate the update in a maintenance window and monitor for post-upgrade service instability or logging anomalies.
Evidence notes
Primary evidence comes from the supplied CISA CSAF source item for ICSA-25-133-01 (published/modified 2025-02-25) and its referenced vendor remediation to update to 9.8.1.4. The affected product is explicitly listed as Hitachi Energy Service Suite versions 9.8.1.3 and below. The supplied enrichment marks this CVE as not in CISA KEV and with no known ransomware campaign use.
Official resources
-
CVE-2022-29404 CVE record
CVE.org
-
CVE-2022-29404 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Public government advisory: CISA CSAF ICSA-25-133-01 published 2025-02-25; no KEV entry is supplied for this CVE.