1 Advisory and 5 Updates Published – 1-8-26

Today CISA’s NCCIC-ICS published one control system security advisory for products from Hitachi Energy. They also updated five advisories for products from Mitsubishi. I also take a down-the-rabbit-hole look at CISA’s use of the term ‘verbatim republication’.

Hitachi Energy Advisory

This advisory discusses a deserialization of untrusted data vulnerability in the Hitachi Energy Asset Suite product. This is a third-party (Jaspersoft) vulnerability. Hitachi Energy has a new version that mitigates the vulnerability.

NCCIC-ICS reports that this vulnerability can be exploited to carry out remote code execution (RCE) attack on the product.

NOTE: I briefly discussed this vulnerability on December 13^th, 2025.

Mitsubishi Update #1

This update provides additional information on the Iconics Digital Solutions that was originally published on May 20^th, 2025, and most recently updated on August 28^th, 2025. The new information includes adding BizViz and GENESIS32 as affected products, with relevant mitigation strategies.

NOTE: The Mitsubishi advisory also adds ICONICS Suite to the list of affected products (fixed version pending development).

Mitsubishi Update #2

This update provides additional information on the Iconics Digital Solutions advisory that was originally published on July 2^nd, 2024, and most recently updated on December 3^rd, 2024. The new information includes adding GENESIS32 to the list of affected products.

NOTE: The Mitsubishi advisory also adds ICONICS Suite and BizViz to the list of affected products. These products are also listed in today’s advisory, but they are not named in the version change description.

Mitsubishi Update #3

This update provides additional information on the Iconics Digital Solutions advisory that was originally published on December 3^rd, 2024. The new information includes adding GENESIS32 to the list of affected products.

NOTE: The Mitsubishi advisory also adds ICONICS Suite.

Mitsubishi Update #4

This update provides additional information on the HMI SCADA advisory that was originally published on January 20^th, 2022. The new information includes adding GENESIS32 to the list of affected products.

NOTE: This CISA advisory was based upon four separate Mitsubishi Advisories, only one of which has been updated. That Mitsubishi advisory also added the ICONICS Suite. Interestingly, the original CISA advisory already included the ICONICS Suite.

Mitsubishi Update #5

This update provides additional information on the Iconics Digital Solutions advisory that was originally published on October 10^th, 2022, and most recently updated on September 9^th, 2025. The new information includes adding GENESIS32.

NOTE: The Mitsubishi advisory also added the ICONICS Suite. The earlier version of the CISA advisory already listed ICONICS Suite, “ICONICS Suite including GENESIS64, Hyper Historian, AnalytiX, and MobileHMI: Version 10.97.3 and prior”.

DTRH – Verbatim Republication

The bottom of the Hitachi Energy advisory described above includes the following ‘Advisory Conversion Disclaimer’:

“This ICSA is a verbatim republication of Hitachi Energy PSIRT 8DBD000231 [link added] from a direct conversion of the vendor’s Common Security Advisory Framework (CSAF) advisory [link added]. This is republished to CISA’s website as a means of increasing visibility and is provided “as-is” for informational purposes only. CISA is not responsible for the editorial or technical accuracy of republished advisories and provides no warranties of any kind regarding any information contained within this advisory. Further, CISA does not endorse any commercial product or service. Please contact Hitachi Energy PSIRT directly for any questions regarding this advisory.”

While I understand the intent of this statement (removing responsibility for misleading or incorrect information), I have to take exception to the use of the word ‘verbatim’. Dictionary.com defines the word ‘verbatim’ as “in exactly the same words; word for word.” The information provided by CISA fails that definition in a lot of picky ways, but the most obvious to me is the link provided as the reference for the reported CVE number. Hitachi provides a link to the NVD.NIST.gov listing; CISA instead provides (as they have for a couple of years now) a link to the CVE.org listing.

I would have been much happier if they had opened that statement with: “This ICSA is adapted from…”

The other odd thing about this ‘republication’ is that in the ‘Revision History’ at the bottom of the advisory, CISA lists “2025-12-09” as the “Initial public release” and today’s date as the “Initial Republication of Hitachi Energy PSIRT 8DBD000231 advisory”. I appreciate CISA providing this information, but it could get extremely interesting as they go through the process of updating advisories for new information.

None of the Mitsubishi advisories have this disclaimer, so the ‘Revision History’ was not affected. It is not clear if this was because Mitsubishi does not provide CSAF advisories, or if it is just because the original advisory did not have the disclaimer.