Critical CVE-2025-10492: Mitigating Unauthenticated RCE in Hitachi Energy Ellipse

Introduction

Security teams managing Operational Technology (OT) and Critical Manufacturing environments must immediately address a critical security flaw identified in Hitachi Energy's Ellipse product. Tracked as CVE-2025-10492, this vulnerability represents a severe risk due to its potential for unauthenticated code execution. For defenders, this means an attacker could exploit this flaw to gain complete control over affected systems without needing valid credentials. Given the role of Hitachi Energy in critical infrastructure, the impact of a successful compromise could extend beyond data loss to operational disruption and physical safety concerns.

Technical Analysis

CVE-2025-10492 is a critical severity vulnerability (CVSS v3 score: 9.8) affecting Hitachi Energy Ellipse versions 9.0.50 and earlier. The root cause is a "Deserialization of Untrusted Data" vulnerability within the Jasper Report component integrated into the Ellipse software.

Deserialization vulnerabilities occur when an application accepts untrusted data and attempts to reconstruct an object from it. In this case, a specially crafted request sent to the Jasper Report interface could trigger the deserialization of malicious objects, leading to remote code execution (RCE). Because the vulnerability is unauthenticated, it is exposed to any actor with network access to the vulnerable interface.

Affected Product: Hitachi Energy Ellipse
Affected Versions: <= 9.0.50
Vulnerability Type: Deserialization of Untrusted Data (CWE-502)
Impact: Critical Manufacturing Sector
Advisory Source: CISA ICS Advisory ICSA-26-092-03

Defensive Monitoring

To protect your organization against exploitation attempts targeting CVE-2025-10492, Security Arsenal recommends implementing the following detection rules. These focus on identifying the post-exploitation behavior often associated with Java-based deserialization flaws, such as unexpected child processes spawned by the underlying Java runtime.

SIGMA Rules

YAML

---
title: Suspicious Java Spawning Shell - Ellipse RCE Indicator
id: a1b2c3d4-5678-49ab-cdef-0123456789ab
status: experimental
description: Detects potential exploitation of Java deserialization flaws (like CVE-2025-10492) by identifying when the Java process spawns suspicious child processes like cmd or PowerShell.
references:
  - https://www.cisa.gov/news-events/ics-advisories/icsa-26-092-03
  - https://attack.mitre.org/techniques/T1059/
author: Security Arsenal
date: 2025/02/12
tags:
  - attack.execution
  - attack.t1059.003
  - attack.t1059.001
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    ParentImage|endswith: '\java.exe'
    Image|endswith:
      - '\cmd.exe'
      - '\powershell.exe'
      - '\pwsh.exe'
  filter:
    CommandLine|contains:
      - 'jenkins'
      - 'authorized'
condition: selection and not filter
falsepositives:
  - Legitimate administrative scripts run by Java applications
level: high
---
title: Java Process Outbound Network Connection to Non-Standard Ports
id: b2c3d4e5-6789-4abc-def0-123456789abc
status: experimental
description: Detects suspicious network connections initiated by a Java process to non-standard ports, potentially indicating reverse shell activity post-exploitation.
references:
  - https://attack.mitre.org/techniques/T1071/
author: Security Arsenal
date: 2025/02/12
tags:
  - attack.command_and_control
  - attack.t1071
  - attack.c2
logsource:
  category: network_connection
  product: windows
detection:
  selection:
    Image|endswith: '\java.exe'
    Initiated: 'true'
    DestinationPort|not:
      - 80
      - 443
      - 8080
      - 8443
condition: selection
falsepositives:
  - Legitimate application plugins connecting to update servers or backends
level: medium

KQL (Microsoft Sentinel/Defender)

The following KQL queries can be used in Microsoft Sentinel or Defender for Endpoint to hunt for signs of exploitation.

KQL — Microsoft Sentinel / Defender

// Hunt for Java processes spawning shells (Potential RCE)
DeviceProcessEvents  
| where InitiatingProcessFileName =~ "java.exe"  
| where FileName in~ ("cmd.exe", "powershell.exe", "pwsh.exe")  
| project Timestamp, DeviceName, InitiatingProcessCommandLine, FileName, ProcessCommandLine, AccountName
| order by Timestamp desc


// Identify network connections from Java to suspicious ports
DeviceNetworkEvents  
| where InitiatingProcessFileName =~ "java.exe"  
| where ActionType == "ConnectionInitiated"  
| where RemotePort !in (80, 443, 8080, 8443)  
| project Timestamp, DeviceName, RemoteUrl, RemoteIP, RemotePort, InitiatingProcessCommandLine

Velociraptor VQL

For organizations using Velociraptor for Digital Forensics and Incident Response (DFIR), these VQL artifacts help hunt for process anomalies.

VQL — Velociraptor

-- Hunt for Java parent processes spawning suspicious shells
SELECT Pid, Name, CommandLine, Exe, Username, CreateTime, Parent.Name as ParentName, Parent.CommandLine as ParentCmd
FROM pslist()
WHERE Parent.Name =~ 'java'
  AND Name IN ('cmd.exe', 'powershell.exe', 'wscript.exe', 'cscript.exe')

-- Hunt for Ellipse related file modifications
SELECT FullName, Size, Mtime, Btime
FROM glob(globs="C:/Program Files/**/Ellipse/**")
WHERE Mtime > now() - 24h

PowerShell Remediation Check

Use this PowerShell snippet to audit your environment for the presence of vulnerable Hitachi Energy Ellipse versions. Note: Adjust the file path based on your specific installation directory.

PowerShell

# Audit Hitachi Energy Ellipse Versions
$installPaths = @(
    "C:\Program Files (x86)\Hitachi Energy\Ellipse",
    "C:\Program Files\Hitachi Energy\Ellipse",
    "D:\Ellipse"
)

foreach ($path in $installPaths) {
    if (Test-Path $path) {
        Write-Host "Checking path: $path" -ForegroundColor Cyan
        $files = Get-ChildItem -Path $path -Recurse -Filter "*.dll" -ErrorAction SilentlyContinue | 
                  Where-Object { $_.Name -like "*Ellipse*" -or $_.Name -like "*core*" }
        
        foreach ($file in $files) {
            $versionInfo = $file.VersionInfo
            Write-Host "File: $($file.FullName)"
            Write-Host "Product Version: $($versionInfo.ProductVersion)"
            
            # Logic to check if version is <= 9.0.50 (Pseudo-logic, requires robust version parsing)
            if ($versionInfo.ProductVersion -le "9.0.50") {
                Write-Host "[ALERT] Potential Vulnerable Version Detected!" -ForegroundColor Red
            } else {
                Write-Host "[OK] Version appears safe." -ForegroundColor Green
            }
        }
    } else {
        Write-Host "Path not found: $path" -ForegroundColor Gray
    }
}

Remediation

Given the Critical (9.8) CVSS score and the availability of exploit details, immediate action is required.

Patch Immediately: Hitachi Energy has released updates addressing this vulnerability. Organizations must upgrade Ellipse to a version newer than 9.0.50. Refer to the official Hitachi Energy advisory or the CSAF document linked in the CISA advisory for the specific patch download links.
Review Network Controls: Until patching is complete, ensure that the Ellipse application servers are not accessible from the internet. Restrict access to the Ellipse web interface strictly to trusted internal IP ranges via firewall rules.
Compromise Assessment: If your Ellipse instance is exposed to untrusted networks and has not yet been patched, assume potential compromise. Conduct a thorough log review focusing on the specific indicators mentioned in the Defensive Monitoring section above.

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub