Summary
Hitachi Energy is aware of vulnerabilities that affect RTU500 product versions listed in this document. Successful exploitation of these vulnerabilities can result in the exposure of low-value user management information and device outage. Please refer to the Recommended Immediate Actions for information about the mitigation/remediation.
The following versions of Hitachi Energy RTU500 Product are affected:
- RTU500 series CMU Firmware vers:RTU500_series_CMU_Firmware/>=12.7.1|<=12.7.7, vers:RTU500_series_CMU_Firmware/>=13.5.1|<=13.5.4, vers:RTU500_series_CMU_Firmware/>=13.6.1|<=13.6.2, vers:RTU500_series_CMU_Firmware/>=13.7.1|<=13.7.7, 13.8.1
| CVSS | Vendor | Equipment | Vulnerabilities |
|---|---|---|---|
| v3 7.5 | Hitachi Energy | Hitachi Energy RTU500 Product | Improper Handling of Insufficient Permissions or Privileges , Incomplete List of Disallowed Inputs, Uncontrolled Recursion, Allocation of Resources Without Limits or Throttling |
Background
- Critical Infrastructure Sectors: Critical Manufacturing
- Countries/Areas Deployed: Worldwide
- Company Headquarters Location: Switzerland
Vulnerabilities
CVE-2026-1772
RTU500 web interface: An unprivileged user can read user management information. The information cannot be accessed via the RTU500 web user interface but requires further tools like browser development utilities to access them without required privileges.
Affected Products
Hitachi Energy RTU500 Product
Hitachi Energy
RTU500 series CMU Firmware version 12.7.1 through 12.7.7, RTU500 series CMU Firmware version 13.5.1 through 13.5.4, RTU500 series CMU Firmware version 13.6.1 through 13.6.2, RTU500 series CMU Firmware version 13.7.1 through 13.7.7, RTU500 series CMU Firmware version 13.8.1
known_affected
Remediations
Vendor fix
Update to CMU Firmware version 12.7.8
Mitigation
Follow general mitigation factors/workarounds
Vendor fix
Update to CMU Firmware version 13.7.8 or latest
Vendor fix
Update to CMU Firmware version 13.8.2
Relevant CWE: CWE-280 Improper Handling of Insufficient Permissions or Privileges
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 4.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
CVE-2026-1773
IEC 60870-5-104: Potential Denial of Service impact on reception of invalid U-format frame. Product is only affected if IEC 60870-5-104 bi-directional functionality is configured. Enabling secure communication following IEC 62351-3 does not remediate the vulnerability but mitigates the risk of exploitation.
Affected Products
Hitachi Energy RTU500 Product
Hitachi Energy
RTU500 series CMU Firmware version 12.7.1 through 12.7.7, RTU500 series CMU Firmware version 13.5.1 through 13.5.4, RTU500 series CMU Firmware version 13.6.1 through 13.6.2, RTU500 series CMU Firmware version 13.7.1 through 13.7.7, RTU500 series CMU Firmware ver
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: