CVE-2025-27633 Hitachi Energy CVE debrief

Who should care

Organizations running Hitachi Energy TRMTracker, especially administrators, operators, and security teams responsible for web application hygiene and patch management. This is most relevant where TRMTracker is used in production environments and where users may interact with untrusted links or input.

Technical summary

CVE-2025-27633 is a reflected XSS issue in the TRMTracker web application. The supplied advisory describes client-side code injection and lists the CVSS 3.1 vector as AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (CVSS 6.1, Medium). Affected products are TRMTracker versions 6.2.04 and below, and 6.3.0 and 6.3.01. Vendor remediation is to update the 6.2.04 branch to 6.2.04.014 or 6.3.02, and the 6.3.x branch to 6.3.02.

Defensive priority

Medium

Recommended defensive actions

• Upgrade TRMTracker to the vendor-fixed release: 6.2.04.014 or 6.3.02 for the 6.2.04-and-below branch, and 6.3.02 for the 6.3.0/6.3.01 branch.
• Review any TRMTracker URLs, parameters, and reflected output paths for untrusted input handling and encoding controls.
• Apply the advisory's general mitigation factors and follow CISA/ICS defensive guidance for industrial environments.
• Limit exposure of the web application where possible and ensure only authenticated, necessary users can access it.
• Validate patch deployment in a maintenance window and confirm the affected version has been replaced.

Evidence notes

All statements are drawn from the supplied CISA CSAF source item for ICSA-25-093-02 and its listed references. The advisory was published on 2025-03-25 and revised the same day in the provided data. The affected product entries name TRMTracker versions 6.2.04 and below, and 6.3.0 and 6.3.01. The remediation entries specify 6.2.04.014 or 6.3.02 for one branch and 6.3.02 for the other. The supplied CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N.

Official resources