Hitachi Energy MicroSCADA System Data Manager SDM600

Plan PatchCVSS 9.9ICS-CERT ICSA-23-096-05Apr 10, 2023

Hitachi EnergyEnergy

Attack path

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

Hitachi Energy MicroSCADA System Data Manager SDM600 versions prior to 1.3.0.1339 contain multiple vulnerabilities (CWE-434 unrestricted file upload, CWE-285 improper access control, CWE-404 missing authentication, CWE-269 improper privilege handling) that could allow an attacker with valid credentials and network access to gain remote control of the system and modify critical operations. The vulnerabilities affect SDM600 versions prior to v1.2 FP3 HF4 (Build Nr. 1.2.23000.291) and v1.3.0 (Build Nr. 1.3.0.1339).

What this means

What could happen

An attacker with valid SDM600 credentials and network access could gain remote control of the system and modify critical grid or facility operations, including sensor readings and control commands.

Who's at risk

Energy utilities and grid operators using Hitachi Energy MicroSCADA System Data Manager SDM600 for SCADA data management and control. Affected versions include all builds prior to 1.3.0.1339. This system is critical for real-time grid operations and situational awareness.

How it could be exploited

An attacker with valid engineering credentials and network access to SDM600 exploits multiple privilege escalation and file upload vulnerabilities (CWE-434, CWE-285, CWE-269) to gain elevated permissions and inject malicious code, resulting in remote code execution and full system control.

Prerequisites

Valid engineering credentials or user account on SDM600
Network access to SDM600 management interface
SDM600 version prior to 1.3.0.1339

Remotely exploitableAuthentication required but with valid credentialsLow complexity attackCritical CVSS score (9.9)Affects grid control systemsPrivilege escalation and code execution possible

Exploitability

Unlikely to be exploited — EPSS score 0.8%

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

SDM600:< 1.2 FP3 HF4 (Build Nr . 1.2.23000.291)1.3.0.1339

SDM600:< 1.3.0 (Build Nr. 1.3.0.1339)1.3.0.1339

Remediation & Mitigation

0/3

Do now

0/1

HARDENINGImplement firewall rules to restrict network access to SDM600 from outside the process control network

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate SDM600 to version 1.3.0.1339 or later

Long-term hardening

0/1

HARDENINGApply principle of least privilege to SDM600 user accounts and permissions

CVEs (5)

CVE-2022-3682 CVE-2022-3683 CVE-2022-3684 CVE-2022-3685 CVE-2022-3686

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/865027b4-abbc-4fbb-96c2-72481c1ef6c6

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.