CVE-2025-1036

HIGH

Hitachi Energy TropOS 4th Gen 8.7.0.0-8.9.6.0 - Authenticated OS Command Injection via Logging Page

Title source: llm

Description

Command injection vulnerability exists in the “Logging” page of the web-based configuration utility. An authenticated user with low privileged network access for the configuration utility can execute arbitrary commands on the underlying OS to obtain root SSH access to the TropOS 4th Gen device.

References (1)

Core 1

Core References

Various Sources

https://publisher.hitachienergy.com/preview?DocumentID=8DBD000214&LanguageCode=en&DocumentPartId=&Action=Launch

Scores

CVSS v4 8.7

EPSS 0.0100

EPSS Percentile 58.1%

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-78

Status published

Products (1)

Hitachi Energy/TropOS 4th Gen 8.7.0.0 - 8.9.6.0

Published Oct 28, 2025

Tracked Since Feb 18, 2026