Hitachi ABB Power Grids FOX615 Multiservice-Multiplexer

Act NowCVSS 9.1ICS-CERT ICSA-21-007-01Jan 7, 2021

ABBHitachi EnergyEnergy

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

An authentication bypass vulnerability in the Hitachi ABB Power Grids FOX615 multiservice multiplexer (FOX61x series using CESM1/CESM2 firmware) allows remote attackers to access the device without credentials. Successful exploitation could permit an attacker to read, modify, or intercept communications handled by the multiplexer, potentially affecting grid control and protection functions. The vulnerability exists in FOX61x R1 versions before cesne_r1h07_12.esw and FOX61x R2 versions before cesne_r2d14_03.esw.

What this means

What could happen

An attacker could gain remote access to the FOX615 multiservice multiplexer without any credentials, potentially allowing them to read or modify communications, control setpoints, or disrupt power grid monitoring and protection systems.

Who's at risk

Power utility operators and transmission/distribution system owners using Hitachi ABB Power Grids FOX615 multiservice multiplexers for grid monitoring, protection, and control. This equipment is typically deployed in substations and control centers to manage communications between relays, RTUs, and SCADA systems. Affects both R1 and R2 hardware versions.

How it could be exploited

An attacker with network access to the FOX615 device (typically port 502 for Modbus or similar protocol) can send a specially crafted request that bypasses authentication checks. The device will accept commands without requiring a password or user credentials, granting the attacker the same access as an authorized operator.

Prerequisites

Network access to the FOX615 device on its management/data port (typically accessible from engineering workstations or substation networks)
No credentials required for exploitation

remotely exploitableno authentication requiredlow complexityhigh EPSS score (78.6%)affects critical grid infrastructure

Exploitability

Likely to be exploited — EPSS score 78.3%

Metasploit module available — weaponized exploitView module ↗

Public Proof-of-Concept (PoC) on GitHub (10 repositories)

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

FOX61x R1 using CESM1/CESM2: All< cesne r1h07 12.eswcesne_r1h07_12.esw or newer

FOX61x R2 using CESM1/CESM2: All< cesne r2d14 03.eswcesne_r2d14_03.esw or newer

Remediation & Mitigation

0/6

Do now

0/2

WORKAROUNDRestrict network access to FOX615 devices using firewall rules; only permit communication from authorized engineering workstations and SCADA servers

WORKAROUNDIf remote access is required, use a VPN with current security patches to add an authentication layer between remote users and the FOX615 device

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate FOX61x R1 CESM1/CESM2 to firmware version cesne_r1h07_12.esw or newer

HOTFIXUpdate FOX61x R2 CESM1/CESM2 to firmware version cesne_r2d14_03.esw or newer

Long-term hardening

0/2

HARDENINGImplement network segmentation to isolate the FOX615 device and other control systems from the corporate network and internet

HARDENINGDisable internet access from FOX615 devices and any workstations that communicate with them

CVEs (1)

CVE-2018-10933

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/4908570c-5e8b-4e18-a15c-4ae6cb5eae4b

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.