CVE-2022-44729 Hitachi Energy CVE debrief

Who should care

Hitachi Energy Asset Suite administrators, ICS/OT security teams, and any operators whose deployments process or render SVG content from untrusted sources. Security teams managing dependency risk for bundled open-source components should also review this advisory.

Technical summary

The CISA CSAF advisory (ICSA-25-261-04) describes CVE-2022-44729 as a Server-Side Request Forgery vulnerability in Apache XML Graphics Batik 1.16 affecting Hitachi Energy Asset Suite. The listed CVSS 3.1 vector is AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H (7.1). In the described condition, a malicious SVG may trigger external resource loading by default, which can consume resources and, in some cases, expose information.

Defensive priority

High. Prioritize upgrading affected Asset Suite installations to version 9.7, then confirm the vendor’s general mitigation factors are in place. Treat systems that ingest or render untrusted SVG content as especially important to review.

Recommended defensive actions

• Upgrade Hitachi Energy Asset Suite to version 9.7.
• Apply the general mitigation factors referenced in the advisory.
• Inventory Asset Suite deployments to identify any instances that may include Apache XML Graphics Batik 1.16.
• Follow CISA ICS recommended practices and defense-in-depth guidance referenced in the advisory.
• Validate that any workflows accepting SVG content are restricted to trusted inputs until the upgrade is completed.

Evidence notes

This debrief is based on the supplied CISA CSAF advisory ICSA-25-261-04 and its referenced vendor and CISA pages. The source corpus states that the issue affects Apache XML Graphics Batik 1.16 in Hitachi Energy Asset Suite, that malicious SVG content may trigger external resource loading by default, and that the product-level remediation is to upgrade to version 9.7. The supplied timeline places public disclosure on 2025-08-26; no KEV entry is provided in the corpus.

Official resources