Executive Summary

On January 8, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released an Industrial Control Systems (ICS) advisory, ICSA-26-008-01, detailing a remote code execution (RCE) vulnerability in Hitachi Energy's Asset Suite. The vulnerability, tracked as CVE-2025-10492, originates from a vulnerable version of a third-party software component, Jasper Report, embedded within the Asset Suite product. A successful exploit could allow an attacker to execute arbitrary code on the affected system. Hitachi Energy's Asset Suite is used in the energy sector, making this a notable risk for critical infrastructure. There is currently no evidence of active exploitation. CISA recommends that asset owners apply vendor-provided mitigations and ensure control system networks are properly segmented from the internet.

Vulnerability Details

• CVE ID: CVE-2025-10492
• Affected Product: Hitachi Energy Asset Suite (specific versions)
• Vulnerability Type: Remote Code Execution (RCE)
• Root Cause: The vulnerability is not in Hitachi's native code but in a third-party component, Jasper Report, that is bundled with the Asset Suite. Vulnerabilities in third-party libraries are a common form of supply chain risk, where a flaw in one piece of software can create vulnerabilities in many other products that use it.

Affected Systems

The advisory applies to specific versions of the Hitachi Energy Asset Suite. Customers using this product should consult the official advisory from Hitachi Energy or CISA for a definitive list of affected versions and apply the necessary updates or mitigations.

Exploitation Status

As of the advisory's publication, CISA has not received any reports of this vulnerability being actively exploited in the wild. However, the public disclosure of the flaw could lead to threat actors developing exploits and scanning for vulnerable systems.

Impact Assessment

A successful RCE exploit against the Hitachi Energy Asset Suite could have serious consequences, particularly given its use in the Energy sector. An attacker could potentially:

• Compromise the asset management system, leading to loss of view or control over energy assets.
• Manipulate data within the system, leading to incorrect operational decisions.
• Use the compromised system as a pivot point to move deeper into the operational technology (OT) or corporate network.
• Cause disruption to energy grid operations, depending on the specific role of the compromised system.

The exact impact depends on the system's configuration and its role within the broader control system architecture.

Detection Methods

• Software Bill of Materials (SBOM): Organizations should use an SBOM to identify all products in their environment that contain the vulnerable version of the Jasper Report component.
• Network Monitoring: Monitor for any unusual network connections to or from the Asset Suite server. Establish a baseline of normal traffic and alert on deviations.
• Log Analysis: Review application and system logs on the Asset Suite server for any errors or suspicious activity that could indicate an exploitation attempt.

Remediation Steps

CISA and Hitachi Energy recommend the following actions:

1. Apply Vendor Guidance: Affected customers should obtain and apply the mitigation and remediation information provided by Hitachi Energy.
2. Minimize Network Exposure: This is a critical best practice for all ICS/OT environments. Ensure that control system devices and servers like the Asset Suite are not accessible from the internet.
3. Network Segmentation: Isolate control system networks from business (IT) networks using firewalls. All traffic between these zones should be strictly controlled. This is a core D3FEND technique, D3-NI - Network Isolation.
4. Secure Remote Access: If remote access is necessary, it must be performed through a secure, audited method, such as a Virtual Private Network (VPN) with multi-factor authentication (MFA).