Hitachi Energy MSM Product

Act Now9.8ICS-CERT ICSA-22-242-03Aug 30, 2022

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Hitachi Energy MSM versions 2.2 and earlier contain a vulnerability exploitable remotely without authentication. Successful exploitation could disrupt the MSM web interface functionality, steal user credentials, or cause denial-of-service conditions. The vulnerability has low attack complexity and can be exploited from the network.

What this means

What could happen

An attacker could disrupt the MSM web interface, steal user credentials needed for system administration, or cause a denial-of-service condition that prevents operators from accessing or managing the system. This could impact energy distribution visibility and response capability.

Who's at risk

Energy utilities operating Hitachi Energy MSM (Substation Message Management) systems for power grid monitoring and control should be concerned. This affects the supervisory software used to manage and visualize grid operations across generation, transmission, and distribution networks.

How it could be exploited

An attacker on the network can send specially crafted requests to the MSM web interface without requiring authentication or user interaction. The low attack complexity means simple network tools can be used to exploit the vulnerability and gain control of or disrupt the MSM system.

Prerequisites

Network access to MSM web interface (default port 443)
No authentication required
No user interaction required

remotely exploitableno authentication requiredlow complexitycritical severity (CVSS 9.8)no patch availableaffects operational visibility and control

Exploitability

Low exploit probability (EPSS 0.2%)

Affected products (1)

ProductAffected VersionsFix Status

MSM:≤ 2.2No fix (EOL)

Remediation & Mitigation

0/6

Do now

0/3

HARDENINGIsolate MSM systems from the general network using a firewall, allowing only necessary ports for legitimate MSM traffic

HARDENINGApply network segmentation to separate process control systems from corporate networks and internet-connected systems

HARDENINGDisable direct internet access to MSM web interfaces; require VPN or out-of-band access for remote administration

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGRestrict physical access to MSM servers and control system equipment

Mitigations - no patch available

0/2

MSM: has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGImplement host-based hardening on all computers connected to MSM (Windows Desktop/Server CIS benchmarks)

HARDENINGScan portable devices and removable media for malware before connecting to MSM network

CVEs (1)

CVE-2015-6584

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/96d8ffc0-4582-409d-8724-eb79d44182cd