Hitachi Energy PCM600

Summary

Hitachi Energy is aware of a vulnerability that affects the Hitachi Energy PCM600 product versions listed in this document. An attacker successfully exploiting this vulnerability can impact integrity of the product. Please refer to the Recommended Immediate Actions for information about the mitigation/remediation.

The following versions of Hitachi Energy PCM600 are affected:

PCM600 Legacy vers:PCM600_Legacy/<=2.11 (CVE-2018-1002208)
PCM600 3.0, 3.0_HF1, 3.0_HF2, 3.0_HF3, 3.1, 3.1_SP1, 3.1_SP2, 3.1_SP3 (CVE-2018-1002208, CVE-2018-1002208, CVE-2018-1002208, CVE-2018-1002208, CVE-2018-1002208, CVE-2018-1002208, CVE-2018-1002208, CVE-2018-1002208)

CVSS	Vendor	Equipment	Vulnerabilities
v3 4.4	Hitachi Energy	Hitachi Energy PCM600	Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)

Background

Critical Infrastructure Sectors: Energy
Countries/Areas Deployed: Worldwide
Company Headquarters Location: Switzerland

Vulnerabilities

Expand All +

CVE-2018-1002208

SharpZipLib before 1.0 RC1 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in a Zip archive entry that is mishandled during extraction. This vulnerability is also known as ‘Zip-Slip’.

View CVE Details

Affected Products

Vendor:
Hitachi Energy

Product Version:
PCM600 Legacy Version 2.11 and earlier, PCM600 3.0, PCM600 3.0 HF1, PCM600 3.0 HF2, PCM600 3.0 HF3, PCM600 3.1, PCM600 3.1 SP1, PCM600 3.1 SP2, PCM600 3.1 SP3

Product Status:
known_affected

Remediations

None available
Prior to acquisition, PCM600 product versions 2.11 and earlier were distributed under ABB’s organization. Some Hitachi Energy users may still be operating these legacy versions. While ABB continues to maintain the PCM600 2.x product line, Hitachi Energy now exclusively maintains and distributes the PCM600 3.x product line. ABB has recently published a cybersecurity advisory [2NGA002813] (https://library.e.abb.com/public/ec33308ad2c34f92bab09df09c66954d/2NGA002813_PCM600_Sharpziplib_Vulnerability.pdf) with their recommended actions for this same vulnerability. However, because Hitachi Energy does not maintain or validate the PCM600 2.x releases, they cannot assess or guarantee the compatibility of ABB’s recommended updates with other Hitachi Energy IEDs (Relion 670 series, 650 series, SAM600, PWC600). PCM600 versions 3.0, and later are the Hitachi Energy maintained and validated versions, Hitachi Energy strongly recommends users to migrate to these versions. Additionally, please follow Hitachi Energy’s [Industrial Control Systems Best Practices,](https://publisher.hitachienergy.com/preview?DocumentID=8DBD000235&LanguageCode=en&DocumentPartId=&Action=Launch) until the planned remediation is released. Contact your support representative for more detailed guidance tailored to your deployment.

Mitigation
Ensure that Chapter 4 of Cyber Security Deployment Guideline – 1MRK505410 has been followed during the deployment. Ensure that no default credentials are in use. In case of exceptions, please ensure they have been mitigated with adequate countermeasures.

Vendor fix
Update to PCM600 3.1 SP4 (Update Planned)

Relevant CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)

Metrics

CVSS Version	Base Score	Base Severity	Vector String
3.1	4.4	MEDIUM	CVSS:3 […] Content was cut in order to protect the source.Please visit the source for the rest of the article. This article has been indexed from All CISA Advisories Read the original article: Hitachi Energy PCM600 Share this: Facebook X LinkedIn Like this: Like Loading... Related Tags: All CISA Advisories EN Post navigation ← ABB B&R Automation Runtime Johnson Controls CEM AC2000 → Search for: Pages Advertising Contact Legal and Contact information Opt-out preferences Privacy Policy Social Media Telegram Channel Recent Posts InstallFix and Claude Code: How Fake Install Pages Lead to Real Compromise May 6, 2026 IT Security News Hourly Summary 2026-05-06 00h : 3 posts May 6, 2026 IT Security News Daily Summary 2026-05-05 May 5, 2026 Scientists connect “time crystal” to real device in quantum breakthrough May 5, 2026 U.S. court sentences Karakurt ransomware negotiator to 8.5 years May 5, 2026 How Akamai’s Zero Trust Framework Meets Critical U.S. Government Mandates May 5, 2026 Vimeo confirms breach via third-party vendor impacts 119K users May 5, 2026 Google Update: Android Flaw Could Put Billions of Devices at Risk May 5, 2026 Google AppSheet Abuse Helped Phish 30,000 Facebook Accounts May 5, 2026 New WhatsApp Flaws Could Affect Billions of Users After Meta Security Patch May 5, 2026 ABB B&R PVI May 5, 2026 Johnson Controls CEM AC2000 May 5, 2026 Hitachi Energy PCM600 May 5, 2026 ABB B&R Automation Runtime May 5, 2026 ABB B&R Automation Studio May 5, 2026 Low Noise, High Confidence: Optimizing SOC Costs with Better Threat Intelligence May 5, 2026 Vulnerability Summary for the Week of April 27, 2026 May 5, 2026 Introducing AI traffic analysis dashboards for AWS WAF May 5, 2026 IT Security News Hourly Summary 2026-05-05 21h : 2 posts May 5, 2026 Attackers Actively Exploiting Critical Vulnerability in Breeze Cache Plugin May 5, 2026 Copyright © 2026 IT Security News. All Rights Reserved. The Magazine Basic Theme by bavotasan.com. Manage Consent To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions. Functional Functional Always active The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network. Preferences Preferences The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user. Statistics Statistics The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you. Marketing Marketing The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes. Manage options Manage services Manage {vendor_count} vendors Read more about these purposes View preferences {title} {title} {title}

Summary

Background

Vulnerabilities

CVE-2018-1002208

Affected Products

Hitachi Energy PCM600

Remediations

Metrics

Read the original article:

Share this:

Like this:

Related

Post navigation