# Critical Java Deserialization Vulnerability in Hitachi Energy Ellipse Threatens Critical Infrastructure Worldwide


## The Threat


Hitachi Energy has disclosed a critical remote code execution (RCE) vulnerability in its widely deployed Ellipse product, affecting industrial control systems across critical manufacturing sectors globally. The vulnerability resides in a third-party Jasper Report component used for custom report generation within Ellipse, exposing thousands of power utilities and manufacturing facilities to potential compromise.


The flaw stems from improper handling of Java deserialization in the JasperSoft library integrated into Ellipse. Attackers can exploit this weakness to execute arbitrary code remotely on affected systems without requiring user interaction or authentication. Given the reliance on Ellipse for critical infrastructure monitoring and control, this vulnerability poses significant risk to operational continuity and safety systems across power generation, distribution, and manufacturing environments.


The vulnerability is particularly dangerous because Ellipse operates in environments where network segmentation may be less rigorous than IT-focused systems, and where uptime requirements make rapid patching challenging. An attacker gaining RCE on an Ellipse instance could potentially pivot to connected industrial control systems, extract sensitive operational data, or inject malicious commands into critical infrastructure processes.


## Severity and Impact


| Attribute | Details |

|-----------|---------|

| CVE ID | CVE-2025-10492 |

| CVSS v3.1 Score | 9.8 (Critical) |

| CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |

| Attack Vector | Network |

| Attack Complexity | Low |

| Privileges Required | None |

| User Interaction | None |

| Scope | Unchanged |

| Confidentiality Impact | High |

| Integrity Impact | High |

| Availability Impact | High |

| CWE | CWE-502: Deserialization of Untrusted Data |


The critical CVSS score reflects the severity of this vulnerability. The combination of network accessibility, low attack complexity, and zero authentication requirements means that any network-connected Ellipse instance running affected versions is potentially exploitable. The high impact across confidentiality, integrity, and availability makes this a "lights out" scenario for affected organizations—attackers could read sensitive data, modify operational parameters, or cause system denial of service.


## Affected Products


The following versions of Hitachi Energy Ellipse are confirmed vulnerable:


  • Hitachi Energy Ellipse version 9.0.50 and all prior versions

    • - No patch version specified as safe; organizations using Ellipse 9.0.50 or earlier should assume vulnerability


    Hitachi Energy has not yet publicly announced patched versions. Organizations should contact their Hitachi Energy account representative for availability of remediated builds and timelines for patches.


    ## Mitigations


    Given the critical nature of this vulnerability and the typical complexity of patching critical infrastructure systems, Hitachi Energy and CISA recommend a defense-in-depth approach:


    Immediate Actions:


    1. Restrict Custom Report Loading — The vulnerability specifically affects custom Jasper Report files created by end users. Immediately configure Ellipse to load only trusted reports generated or approved by system administrators. Disable or restrict the ability for unprivileged users to load arbitrary custom reports.


    2. Network Segmentation — Implement strict network controls around Ellipse instances. These systems should not have direct internet connectivity. Use firewalls to:

    - Limit inbound connections to only authorized administrative networks

    - Restrict outbound connections to known Hitachi Energy update servers and internal dependencies

    - Block any unnecessary ports and protocols


    3. Access Control Hardening:

    - Audit and restrict who has permission to create or modify custom Jasper Reports

    - Implement role-based access controls limiting report generation to trusted administrators

    - Review user permissions logs for suspicious report creation activities


    4. Operational Controls:

    - Monitor Ellipse application logs for suspicious deserialization attempts or unexpected code execution

    - Implement file integrity monitoring on report directories to detect unauthorized file modifications

    - Establish alert thresholds for abnormal Ellipse process behavior


    5. Air-Gapping (If Feasible) — For non-critical Ellipse instances, consider temporary air-gapping until patches are available, if operational requirements permit.


    Medium-Term Actions:


  • Patch Management — Establish a patching timeline with Hitachi Energy. Given the critical severity, prioritize Ellipse systems supporting critical operations for early patching once vendor updates become available.
  • Vendor Communication — Contact your Hitachi Energy representative to confirm patch availability and timelines for your specific deployment version.
  • Security Scanning — Deploy or enhance endpoint detection and response (EDR) solutions on systems hosting Ellipse to detect exploit attempts or post-compromise activity.

    • General Industrial Control System Security:


    Beyond this specific vulnerability, CISA emphasizes that critical infrastructure operators should implement layered security controls:


  • Ensure process control systems are physically secured and isolated from public internet access
  • Maintain air-gap protections between operational technology (OT) networks and IT networks
  • Disable unnecessary services and minimize exposed network ports
  • Enforce strong password policies and multi-factor authentication where supported
  • Carefully scan portable media and removable storage before connecting to control systems
  • Prohibit use of process control systems for internet browsing, email, or messaging

    • ## References


  • CISA Alert: Hitachi Energy Ellipse Vulnerability
  • CVE-2025-10492: Java Deserialization in JasperSoft Library
  • Hitachi Energy Contact & Support: https://www.hitachienergy.com/contact-us/
  • CWE-502: Deserialization of Untrusted Data — https://cwe.mitre.org/data/definitions/502.html
  • CVSS v3.1 Specification: https://www.first.org/cvss/v3.1/specification-document

    • ---


    Recommendation for Operators: This vulnerability requires immediate attention despite the complexity of patching critical systems. Implement the network segmentation and access control mitigations without delay. Request a specific patch timeline from Hitachi Energy, and plan your remediation schedule accordingly. Organizations unable to apply patches immediately should consider temporary operational adjustments or increased monitoring to reduce risk exposure while awaiting vendor updates.