Hitachi Energy RTU500 series

Plan Patch8.6ICS-CERT ICSA-21-336-08Dec 2, 2021

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple vulnerabilities in Hitachi Energy RTU500 series CMU (Communications Management Unit) Firmware allow an attacker with network access to eavesdrop on device communication, retrieve information from memory (CWE-126, CWE-125), or cause denial-of-service conditions. The vulnerabilities stem from insufficient data validation (CWE-203). Affected versions include 12.x, 13.x, and several others. Version 11.x is end-of-life and will not receive patches. Patches are available for some 12.x versions and later.

What this means

What could happen

An attacker with network access could intercept plaintext traffic between RTU500 devices and their management systems to steal operational data, leak sensitive information from device memory, or cause the RTU to stop processing control signals and alarms.

Who's at risk

Electric utilities and transportation operators who deploy Hitachi Energy RTU500 series Remote Terminal Units in substations, data centers, or control facilities should care. These devices collect and transmit sensor data and control signals; compromise could expose operational status or disrupt automated switching and protection systems.

How it could be exploited

An attacker on the network segment containing the RTU500 can passively capture and read unencrypted communication traffic between the RTU and its management interface, or send malformed requests that trigger memory access errors or resource exhaustion, causing service disruption.

Prerequisites

Network access to the RTU500 CMU device or the network segment where it communicates with management systems
No authentication or credentials required

remotely exploitableno authentication requiredlow complexityno patch available for some versionsaffects critical energy infrastructure

Exploitability

Moderate exploit probability (EPSS 1.3%)

Affected products (1)

ProductAffected VersionsFix Status

RTU500 series CMU Firmware:12.2.*; 13.1.*; 13.0.* and 6 moreNo fix yet

Remediation & Mitigation

0/7

Schedule — requires maintenance window

0/5

Patching may require device reboot — plan for process interruption

HOTFIXUpdate RTU500 CMU Firmware Version 12.0.x to Version 12.0.14 or later

HOTFIXUpdate RTU500 CMU Firmware Version 12.2.x to Version 12.2.11 or later

HOTFIXUpdate RTU500 CMU Firmware Version 12.4.x to Version 12.4.11 or later

HOTFIXUpdate RTU500 CMU Firmware Version 12.6.x to Version 12.6.7 or later

HOTFIXFor RTU500 CMU Firmware Version 11.x (end-of-life), upgrade to a current supported firmware version

Long-term hardening

0/2

HARDENINGIsolate RTU500 devices on a separate network segment with access controls limiting communication to authorized management workstations and SCADA masters

HARDENINGImplement network monitoring to detect unauthorized access attempts to RTU500 devices

CVEs (3)

CVE-2020-1968 CVE-2020-24977 CVE-2021-3517

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/9d02c224-8b52-48ed-9c29-95b4f8994d69