PatchSiren cyber security CVE debrief
CVE-2025-1484 Hitachi Energy CVE debrief
CVE-2025-1484 is a medium-severity vulnerability in the media upload component of Hitachi Energy Asset Suite. CISA’s advisory states that successful exploitation could affect confidentiality or integrity, and that an attacker can construct a request that causes attacker-supplied JavaScript to execute in a user’s browser within that user’s session. The affected product listed in the advisory is Asset Suite version 9.6.4.4, with remediation guidance to update to version 9.6.4.5 when available and to apply vendor mitigation/workaround guidance.
- Vendor
- Hitachi Energy
- Product
- Asset Suite 9 series
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-04-29
- Original CVE updated
- 2025-04-29
- Advisory published
- 2025-04-29
- Advisory updated
- 2025-04-29
Who should care
Organizations running Hitachi Energy Asset Suite 9.6.4.4, especially OT/ICS operators, system administrators, application owners, and security teams responsible for browser-based access to the platform.
Technical summary
The advisory describes a vulnerability in the media upload component that can lead to execution of attacker-supplied JavaScript in the browser context of an authenticated user session. The supplied CSAF data identifies Asset Suite version 9.6.4.4 as affected and gives a CVSS v3.1 vector of AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L, consistent with a network-reachable issue that requires user interaction and can impact the user’s session context. The source corpus does not indicate KEV listing or ransomware linkage.
Defensive priority
Medium
Recommended defensive actions
- Upgrade Hitachi Energy Asset Suite to version 9.6.4.5 when available.
- Apply the vendor’s General Mitigation Factors/Workarounds from the advisory.
- Review and restrict access to the affected application, especially for users who can reach the media upload function.
- Use least privilege for application accounts and limit who can perform upload-related actions.
- Apply ICS defense-in-depth measures such as network segmentation, access control, and monitoring as recommended by CISA.
- Validate that browser and session protections are in place for users accessing the application.
- Track the CISA and vendor advisories for any updated mitigation guidance or product coverage changes.
Evidence notes
This debrief is based only on the supplied CISA CSAF advisory data and the linked official references. The advisory names Hitachi Energy Asset Suite version 9.6.4.4 as affected, describes attacker-supplied JavaScript execution in a user browser session, and recommends updating to 9.6.4.5 plus applying General Mitigation Factors/Workarounds. Published and modified dates in the provided corpus are both 2025-04-29T12:30:00Z. No KEV entry is present in the supplied data.
Official resources
-
CVE-2025-1484 CVE record
CVE.org
-
CVE-2025-1484 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed by CISA on 2025-04-29 in advisory ICSA-25-196-01, initial revision 1. The supplied corpus does not show later revisions.