OTPulse
FeedAboutContact

Hitachi Energy AFS660/AFS665

Act Now9.8ICS-CERT ICSA-22-270-01Sep 27, 2022
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

A buffer overflow vulnerability in Hitachi Energy AFS660/AFS665 frequency converters (releases 7.0.02 and prior) allows an attacker with network access to overflow an internal buffer and execute arbitrary code, gaining full control of the device. The vulnerability has a CVSS score of 9.8, low attack complexity, and requires no authentication. Hitachi Energy recommends updating to firmware version 7.1.05 or later. No public exploits are currently known, but the vulnerability is remotely exploitable.

What this means
What could happen
An attacker could exploit a buffer overflow to execute arbitrary code on the AFS660/AFS665 frequency converter, potentially causing loss of power output, uncontrolled motor acceleration, or process shutdown in electrical generation and distribution systems.
Who's at risk
Electricity utilities and power generation facilities operating Hitachi Energy AFS660 or AFS665 frequency converters. These devices are commonly used in power plants and electrical substations to control motor drives and power conversion. Energy sector organizations relying on these converters for reliable power output should prioritize this vulnerability.
How it could be exploited
An attacker with network access to the AFS660/AFS665 sends a malformed input to trigger the buffer overflow. This allows them to run arbitrary commands on the device and take full control of the frequency converter, which controls critical power conversion functions.
Prerequisites
  • Network reachability to the AFS660/AFS665 device
  • No credentials required
Remotely exploitableNo authentication requiredLow attack complexityCritical CVSS score (9.8)No patch available for versions 7.0.02 and priorAffects critical infrastructure (power systems)
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (1)
ProductAffected VersionsFix Status
AFS660/AFS665: Releases 7.0.02 or prior≤ 7.0.027.1.05
Remediation & Mitigation
0/6
Do now
0/2
WORKAROUNDRestrict network access to AFS660/AFS665 devices—allow only engineering workstations and necessary control system communication
HARDENINGDo not use the AFS660/AFS665 for internet access, email, or general-purpose computing
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate AFS660/AFS665 firmware to version 7.1.05 or later
Long-term hardening
0/3
HARDENINGSeparate the process control network from the internet and corporate networks using a firewall with minimum required open ports
HARDENINGPhysically secure AFS660/AFS665 installations to prevent unauthorized local access
HARDENINGScan all portable computers and removable media for malware before connecting to the control network
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/199a0fa4-564e-48ef-810b-78c6cab15c89
Hitachi Energy AFS660/AFS665 | CVSS 9.8 - OTPulse