OTPulse
FeedAboutContact

Hitachi ABB Power Grids XMC20 Multiservice-Multiplexer

Act Now9.1ICS-CERT ICSA-20-294-02Oct 20, 2020
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

The XMC20 multiservice multiplexer contains an authentication bypass vulnerability (CWE-287) in its firmware. An unauthenticated attacker on the network can remotely take control of the device without requiring credentials. Successful exploitation allows remote command execution and full control of the multiplexer, affecting power grid operations. The vulnerability affects XMC20 R4 and R6 models using COGE5 firmware earlier than the patched versions.

What this means
What could happen
An attacker who exploits this vulnerability could remotely take complete control of the XMC20 multiservice multiplexer, potentially disrupting power grid operations, altering electrical distribution settings, or causing equipment damage without needing valid credentials.
Who's at risk
Operators at power utilities and distribution companies using Hitachi ABB Power Grids XMC20 multiservice multiplexers in their electrical distribution, substation automation, or SCADA systems. This is a critical risk for any organization running these devices in active power grid control scenarios.
How it could be exploited
An attacker on the network sends a crafted message to the XMC20 on its control port (likely Modbus TCP or proprietary protocol on port 502 or similar). The device lacks proper authentication validation, allowing the attacker to bypass security checks and execute arbitrary commands or change device configuration remotely.
Prerequisites
  • Network access to the XMC20 device on its control/management port
  • The XMC20 is running vulnerable firmware version (R6 with COGE5 < co5ne_r2d14_03.esw OR R4 with COGE5 < co5ne_r1h07_12.esw)
  • No valid credentials or authentication required
Remotely exploitableNo authentication requiredLow complexity attackHigh EPSS score (78.6%)Affects critical power grid control equipmentNo patch available for end-of-life devices
Exploitability
High exploit probability (EPSS 78.6%)
Affected products (2)
2 with fix
ProductAffected VersionsFix Status
XMC20 R4 using COGE5:<co5ne r1h07 12.eswco5ne_r1h07_12.esw
XMC20 R6 using COGE5:< co5ne r2d14 03.eswco5ne_r2d14_03.esw
Remediation & Mitigation
0/7
Do now
0/3
HARDENINGIsolate XMC20 devices from the internet; do not expose them directly to untrusted networks
HARDENINGDeploy a firewall between control systems and corporate/external networks, exposing only the minimum necessary ports for legitimate operations
HARDENINGRestrict network access to the XMC20 to only authorized engineering workstations and SCADA/EMS systems
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate XMC20 R4 firmware to COGE5 Version co5ne_r1h07_12.esw or newer
HOTFIXUpdate XMC20 R6 firmware to COGE5 Version co5ne_r2d14_03.esw or newer
Long-term hardening
0/2
HARDENINGImplement network segmentation to separate the XMC20 and power grid control network from business systems, Internet access, and email services
HARDENINGScan portable computers and removable media for malware before connecting to control systems
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/a39745ab-3994-4b96-91ab-e50fecbb9e08
Hitachi ABB Power Grids XMC20 Multiservice-Multiplexer | CVSS 9.1 - OTPulse