Summary
Hitachi Energy is aware of vulnerabilities that affect the Relion REB500 product versions listed in this document. Authenticated users with certain roles can exploit the vulnerabilities to access and modify the directory contents they are not authorized to do so. Please refer to the Recommended Immediate Actions for information about the mitigation/remediation.
The following versions of Hitachi Energy Relion REB500 Product are affected:
- Relion REB500 vers:Relion_REB500/<=8.3.3.0 (CVE-2026-2459, CVE-2026-2460)
| CVSS | Vendor | Equipment | Vulnerabilities |
|---|---|---|---|
| v3 6.8 | Hitachi Energy | Hitachi Energy Relion REB500 Product | Privilege Defined With Unsafe Actions |
Background
- Critical Infrastructure Sectors: Energy
- Countries/Areas Deployed: Worldwide
- Company Headquarters Location: Switzerland
Vulnerabilities
CVE-2026-2459
A vulnerability exists in REB500 for an authenticated user with Installer role to access and alter the contents of directories that the role is not authorized to do so.
Affected Products
Hitachi Energy Relion REB500 Product
Hitachi Energy
REB500 versions 8.3.3.0 and prior
known_affected
Remediations
Vendor fix
Hitachi Energy recommends that users update to version 8.3.3.1.
Mitigation
For CVE-2026-2459, as a mitigation strategy, users may also disable the Installer role and enable it only during the firmware update process.
Relevant CWE: CWE-267 Privilege Defined With Unsafe Actions
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 6.5 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N |
CVE-2026-2460
A vulnerability exists in REB500 for an authenticated user with low-level privileges to access and alter the content of directories by using the DAC protocol that the user is not authorized to do so.
Affected Products
Hitachi Energy Relion REB500 Product
Hitachi Energy
REB500 versions 8.3.3.0 and prior
known_affected
Remediations
Vendor fix
Update to version 8.3.3.1
Mitigation
Apply general mitigation factors
Relevant CWE: CWE-267 Privilege Defined With Unsafe Actions
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 6.8 | MEDIUM | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N |
Acknowledgments
- Hitachi Energy reported this vulnerability to CISA.
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: