Critical RCE in Hitachi Energy Ellipse (CVE‑2025‑10492) Threatens Industrial Control Systems
What It Is – Hitachi Energy disclosed a critical deserialization flaw (CVE‑2025‑10492) in the JasperReports component bundled with its Ellipse SCADA/EMS platform. The vulnerability allows an unauthenticated attacker to execute arbitrary Java code on the affected system.
Exploitability – The flaw is publicly known, has a CVSS v3.1 base score of 9.8 (Critical), and proof‑of‑concept code for remote exploitation has been observed in the wild. No patch was available at the time of advisory release.
Affected Products – Hitachi Energy Ellipse versions 9.0.50 and earlier (global deployments in critical manufacturing and energy utilities).
TPRM Impact –
- A compromised Ellipse instance can give threat actors control over process‑control logic, potentially disrupting production lines or power distribution.
- Third‑party vendors that integrate with Ellipse (e.g., OEMs, engineering firms) inherit the same exposure, expanding the supply‑chain risk surface.
Recommended Actions –
- Immediate Mitigation – Isolate affected Ellipse servers from external networks and apply network‑level filtering for malicious JasperReports payloads.
- Patch Management – Deploy Hitachi Energy’s remediation package (or upgrade to Ellipse 9.0.51+ where the vulnerable JasperReports library is removed).
- Asset Inventory – Verify all deployed Ellipse instances and their version numbers across the organization.
- Monitoring – Enable logging of Java deserialization events and monitor for anomalous process execution.
- Third‑Party Review – Notify all downstream partners that integrate with your Ellipse environment and require them to apply the same mitigations.
Source: CISA Advisory – ICSA‑26‑092‑03