CVE-2025-10492

Published Sep 16, 2025

Last updated 2 months ago

CVSS high 8.7

Overview

Description
A Java deserialisation vulnerability has been discovered in Jaspersoft Library. Improper handling of externally supplied data may allow attackers to execute arbitrary code remotely on systems that use the affected library
Source
db6d2600-d19b-4111-a010-f3c4ed70cd50
NVD status
Modified
Products
jasperreports_io, jasperreports_library, jasperreports_server, jasperreports_studio, jasperreports_web_studio

Risk scores

CVSS 4.0

Type
Secondary
Base score
8.7
Impact score
-
Exploitability score
-
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Severity
HIGH

CVSS 3.1

Type
Primary
Base score
9.8
Impact score
5.9
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
CRITICAL

Weaknesses

db6d2600-d19b-4111-a010-f3c4ed70cd50
CWE-502
134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE-502

Social media

Hype score
Not currently trending

  1. Attackers exploiting CVE-2025-10492 in Hitachi Energy's Ellipse platform can achieve unauthenticated remote code execution, then escalate privileges and move laterally across enterprise networks. Runtime segmentation helps limit blast radius when critical infrastructure systems

    @aviatrixtrc

    3 Apr 2026

    131 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. ⚠️ **Vulnerability Alert:** Jaspersoft Java Deserialization RCE in Hitachi Energy Ellipse (CVE-2025-10492) 🆔 **CVE-2025-10492** | 📊 CVSS: 9.8 (Critical 🔴) | 📈 EPSS: 59.43% 🛠️ **Exploit Maturity:** Not Available 📂 **Affected Versions:** Ellipse <= 9.0.

    @syedaquib77

    2 Apr 2026

    140 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. ⚠️ **Vulnerability Alert:** Hitachi Energy Ellipse Jaspersoft Java Deserialization Remote Code Execution 📅 **Timeline:** Disclosure: N/A, Patch: N/A 🆔 **CVE-2025-10492** | 📊 CVSS: 9.8 (Critical 🔴) | 📈 EPSS: 59.43% 🛠️ **Exploit Maturity:** Not Available

    @syedaquib77

    2 Apr 2026

    92 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. ⚠️ **Vulnerability Alert:** Hitachi Energy Ellipse Jaspersoft Java Deserialization RCE (CVE-2025-10492) 📅 **Timeline:** Disclosure: Not Available; Patch: Not Available 🆔 **CVE-2025-10492** | 📊 CVSS: 9.8 (Critical 🔴) | 📈 EPSS: 59.43% 🛠️ **Exploit Maturity

    @syedaquib77

    2 Apr 2026

    127 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. ⚠️ **Vulnerability Alert:** Hitachi Energy Ellipse - Jaspersoft Java Deserialization RCE (CVE-2025-10492) 📅 **Timeline:** Disclosure: Unknown, Patch: Unknown 🆔 **CVE-2025-10492** | 📊 CVSS: 9.8 (Critical 🔴) | 📈 EPSS: 59.43% 🛠️ **Exploit Maturity:** Not Av

    @syedaquib77

    2 Apr 2026

    130 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. ⚠️ **Vulnerability Alert:** Jaspersoft (Jasper Report) Java Deserialization RCE in Hitachi Energy Ellipse (CVE-2025-10492) 📅 **Timeline:** Not Available 🆔 **CVE-2025-10492** | 📊 CVSS: 9.8 (Critical 🔴) | 📈 EPSS: 59.43% 🛠️ **Exploit Maturity:** Not Availab

    @syedaquib77

    2 Apr 2026

    115 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  7. ⚠️ **Vulnerability Alert:** Multiple ICS Vulnerabilities: Hitachi Ellipse JasperReports RCE; Siemens SICAM 8 DoS/Out-of-bounds; Yokogawa CENTUM VP Hard-coded Password 📅 **Timeline:** Disclosure: unknown, Patch: unknown 🆔 **CVE-2025-10492** | 📊 CVSS: 9.8 (Critical

    @syedaquib77

    2 Apr 2026

    94 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  8. ⚠️ **Vulnerability Alert:** Multiple ICS Vulnerabilities: Hitachi Energy Ellipse JasperReports RCE; Siemens SICAM 8 DoS (XML parsing/resource exhaustion); Yokogawa CENTUM VP hard-coded PROG password 📅 **Timeline:** Disclosure: 2025-09-16, Patch: 2026-03-30 🆔 **CVE-2025

    @syedaquib77

    2 Apr 2026

    138 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  9. Hitachi Energy Asset Suite versions 9.7 and earlier have a Java deserialization flaw (CVE-2025-10492) via Jasper Report, allowing remote code execution. Network segmentation and firewalls are recommended. #EnergySecurity #JavaFlaw #USA https://t.co/D4cOzDmDjd

    @TweetThreatNews

    10 Jan 2026

    111 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  10. CVE-2025-10492: How a Third-Party Library Exposed the Core of Hitachi Energy’s Asset Suite Read the full report on - https://t.co/nFTJbZBkXy https://t.co/8YQkQYhNNd

    @cyberbivash

    10 Jan 2026

    2 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  11. Jaspersoft Jasper Reports JRLoader Deserialization of Untrusted Data Remote Code Execution Vulnerability (CVE-2025-10492) #CVE202510492 #CyberSecurity #Jaspersoft #RemoteCodeExecutionVulnerability https://t.co/SFQXdf0pAb https://t.co/dKSqohi3pd

    @SystemTek_UK

    11 Oct 2025

    61 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  12. CVE-2025-10492 Java Deserialization Remote Code Execution in Jaspersoft Library https://t.co/Mqc2zYye0A

    @VulmonFeeds

    17 Sept 2025

    74 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. Vulnerability in Jaspersoft JasperReport Servers.This issue affects JasperReport Servers: from 8.0.4 through 9.0.0.CVE-2024-3325
  2. TIBCO JasperReports Library Directory Traversal VulnerabilityCVE-2018-18809
  3. TIBCO JasperReports Server Information Disclosure VulnerabilityCVE-2018-5430

References

Sources include official advisories and independent security research.