PatchSiren cyber security CVE debrief
CVE-2025-10492 Jaspersoft CVE debrief
CVE-2025-10492 is a critical Java deserialization vulnerability in a third-party JasperReports/Jaspersoft component used by Hitachi Energy Ellipse for custom reports. According to the advisory, improperly handled externally supplied data could let an attacker execute arbitrary code remotely on affected systems. CISA’s advisory was initially released on 2026-02-24 and republished on 2026-04-02 with the vendor PSIRT advisory update.
- Vendor
- Jaspersoft
- Product
- Hitachi Energy Ellipse vers:Ellipse/<=9.0.50
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-12-09
- Original CVE updated
- 2026-01-07
- Advisory published
- 2025-12-09
- Advisory updated
- 2026-01-07
Who should care
Organizations running Hitachi Energy Ellipse, especially OT/ICS operators that use custom reporting features. Also relevant to system administrators, application owners, patch and vulnerability management teams, and defenders responsible for report ingestion or trusted content controls.
Technical summary
The source advisory identifies the weakness as a Java deserialization issue in a JasperReport/Jaspersoft library component embedded in Ellipse. The affected product scope in the source metadata is Hitachi Energy Ellipse vers:Ellipse/<=9.0.50. The published CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, reflecting a network-exploitable flaw with severe confidentiality, integrity, and availability impact. The advisory recommends restricting loading of externally created custom reports and allowing only trusted Jasper reports generated by the system administrator.
Defensive priority
Immediate. The advisory rates the issue Critical (CVSS 9.8), and the source describes a remote code execution risk in a component used by an enterprise/OT product. Prioritize exposure review and compensating controls if patching is not immediately available.
Recommended defensive actions
- Confirm whether Hitachi Energy Ellipse is deployed and whether the affected report component is enabled in your environment.
- Restrict loading of external custom reports; allow only trusted Jasper reports generated by the system administrator, as recommended in the advisory.
- Review access paths to report upload/import or any feature that processes externally supplied report content.
- Apply vendor and platform updates as soon as an approved fix is available through the official advisory channel.
- Use layered ICS defensive practices to reduce exposure, including segmentation and other controls from CISA industrial control system guidance.
- Monitor for anomalous activity around report processing and any unexpected execution behavior on Ellipse hosts.
Evidence notes
Source corpus states that a vulnerability exists in a Jasper Report third-party component used for creating custom reports in Ellipse, and that a Java deserialization flaw in Jaspersoft Library may allow remote arbitrary code execution. The source metadata ties the issue to Hitachi Energy Ellipse vers:Ellipse/<=9.0.50 and lists the published CVSS vector as AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. CISA’s advisory history shows initial release on 2026-02-24 and republication on 2026-04-02. No KEV entry was provided in the supplied data.
Official resources
-
CVE-2025-10492 CVE record
CVE.org
-
CVE-2025-10492 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Public advisory released by CISA on 2026-02-24 and republished on 2026-04-02; the supplied source data does not indicate KEV inclusion.