CVE-2025-1038

HIGH

Hitachi Energy TropOS 4th Gen 8.7.0.0-8.9.5.9 - Authenticated OS Command Injection via Diagnostics Tools Page

Title source: llm

Description

The “Diagnostics Tools” page of the web-based configuration utility does not properly validate user-controlled input, allowing an authenticated user with high privileges to inject commands into the command shell of the TropOS 4th Gen device. The injected commands can be exploited to execute several set-uid (SUID) applications to ultimately gain root access to the TropOS device.

References (1)

Core 1

Core References

Various Sources

https://publisher.hitachienergy.com/preview?DocumentID=8DBD000214&LanguageCode=en&DocumentPartId=&Action=Launch

Scores

CVSS v4 7.5

EPSS 0.0027

EPSS Percentile 17.8%

CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-78

Status published

Products (1)

Hitachi Energy/TropOS 4th Gen 8.7.0.0 - 8.9.6.0

Published Oct 28, 2025

Tracked Since Feb 18, 2026