PatchSiren cyber security CVE debrief
CVE-2025-23184 Hitachi Energy CVE debrief
CVE-2025-23184 is a network-reachable denial-of-service issue associated with Apache CXF versions before 3.5.10, 3.6.5, and 4.0.6. In edge cases, CachedOutputStream instances may not be closed and can fill temporary filesystems, affecting both servers and clients. In the supplied advisory corpus, Hitachi Energy maps this issue to Asset Suite and recommends upgrading to version 9.7 and applying vendor mitigation guidance.
- Vendor
- Hitachi Energy
- Product
- Asset Suite
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-08-26
- Original CVE updated
- 2025-08-26
- Advisory published
- 2025-08-26
- Advisory updated
- 2025-08-26
Who should care
Administrators, operators, and security teams responsible for Hitachi Energy Asset Suite deployments should review this immediately, especially where availability is critical or the platform may be using affected Apache CXF components. Any team managing systems that rely on the vulnerable CXF versions should also assess exposure.
Technical summary
The advisory describes a denial-of-service condition in Apache CXF where CachedOutputStream resources may remain open in some edge cases. If the streams are backed by temporary files, repeated leakage can exhaust disk space and impair availability. The supplied CVSS vector is AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating a remotely reachable availability-impacting issue with no privileges or user interaction required.
Defensive priority
High
Recommended defensive actions
- Upgrade Hitachi Energy Asset Suite to the vendor-recommended fixed version, 9.7, as listed in the supplied CSAF remediation.
- Apply the vendor-provided mitigation factors referenced in the advisory.
- Review deployments for use of Apache CXF versions earlier than 3.5.10, 3.6.5, or 4.0.6 where applicable.
- Monitor temporary filesystem usage and disk space on affected hosts so resource exhaustion is detected early.
- Prioritize assessment of production or mission-critical Asset Suite environments that would be sensitive to service interruption.
Evidence notes
Source corpus indicates initial publication on 2025-08-26 via CISA CSAF advisory ICSA-25-261-04. The advisory text states the issue affects Apache CXF before 3.5.10, 3.6.5, and 4.0.6, with CachedOutputStream instances potentially left open and temporary filesystems filled. The supplied CVSS vector is 7.5/High with network attack, no privileges, no user interaction, and availability impact only. The enrichment data shows no Known Exploited Vulnerabilities (KEV) listing in the supplied corpus. The vendor remediation in the source data is upgrade to version 9.7 plus general mitigation factors.
Official resources
-
CVE-2025-23184 CVE record
CVE.org
-
CVE-2025-23184 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed in CISA CSAF advisory ICSA-25-261-04 on 2025-08-26; no KEV listing is present in the supplied data.