Summary
Hitachi Energy is aware of a buffer overflow vulnerability that affects MACH HiDraw product versions listed in this document. Successful exploitation of this vulnerability could lead to a buffer overflow condition, potentially resulting in application outages (denial of service) and possible arbitrary code execution. Please refer to the Recommended Immediate Actions for information about the mitigation/remediation.
The following versions of Hitachi Energy MACH HiDraw are affected:
- MACH HiDraw vers:MACH_HiDraw/<=9.22 (CVE-2026-7310)
| CVSS | Vendor | Equipment | Vulnerabilities |
|---|---|---|---|
| v3 5.5 | Hitachi Energy | Hitachi Energy MACH HiDraw | Heap-based Buffer Overflow |
Background
- Critical Infrastructure Sectors: Dams, Energy, Transportation Systems
- Countries/Areas Deployed: Worldwide
- Company Headquarters Location: Switzerland
Vulnerabilities
CVE-2026-7310
A heap-based buffer overflow vulnerability exists in XML parser functionality in the HiDraw. An authenticated malicious user with local access can exploit this vulnerability using a specially crafted XML file which may lead to memory corruption and potential arbitrary code execution. Successful exploitation could result in application crashes (denial of service) and compromise the confidentiality and integrity of the affected system.
Affected Products
Hitachi Energy MACH HiDraw
Hitachi Energy
MACH HiDraw version 9.22 and prior
known_affected
Remediations
Vendor fix
Fixed in version 9.23. Due to the complexity of individual implementation of the project, contact local account team for further information on possible upgrades.
Mitigation
Hitachi’s General Mitigation Factors/Workarounds: Recommended security practices and firewall configurations can help protect a process control network from attacks that originate from outside the network. Such practices include that process control systems are physically protected from direct access by unauthorized personnel, have no direct connections to the Internet, and are separated from other networks by means of a firewall system that has a minimal number of ports exposed, and others that have to be evaluated case by case. Process control systems should not be used for Internet surfing, instant messaging, or receiving e-mails. Portable computers and removable storage media should be carefully scanned for viruses before they are connected to a control system. Proper password policies and processes should be followed.
Relevant CWE: CWE-122 Heap-based Buffer Overflow
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 5.5 | MEDIUM | CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:H |
| 4.0 | 4.4 | MEDIUM | CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:A/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N |
Acknowledgments
- Hitachi Energy Internal Team reported this vulnerability to CISA.
Notice
The information in this document is subject to change without notice and should not be construed as a commitment by Hitachi Energy. Hitachi Energy provides no warranty, express or implied, including warranties of merchantability and fitness for a particular purpose, for the information contai
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: