Hitachi Energy MSM

Act Now9.8ICS-CERT ICSA-23-129-02May 10, 2023

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Hitachi Energy MSM version 2.2.5 and earlier contains multiple vulnerabilities affecting authentication, access control, input validation, and memory handling (CWE-307, CWE-294, CWE-94, CWE-119, CWE-476, CWE-331). Successful exploitation allows attackers to obtain user access credentials for the MSM web interface or cause denial-of-service conditions. MSM is not designed for direct internet exposure and should remain on isolated control networks. No vendor patch is available.

What this means

What could happen

An attacker could steal user credentials for the MSM web interface or crash the system, disrupting access to this critical manufacturing message specification platform used in energy generation and distribution facilities.

Who's at risk

Energy utilities operating Hitachi Energy MSM systems for generation, transmission, or distribution control. Any facility using MSM for manufacturing message specification communication with PLCs, RTUs, or other intelligent devices should be concerned, particularly if the system is accessible from corporate networks or has internet connectivity.

How it could be exploited

An attacker on the network can exploit multiple weaknesses in MSM authentication, input validation, and memory handling to either extract stored credentials from the web interface or trigger a denial-of-service condition. The attack requires network access to the MSM device but no authentication or user interaction.

Prerequisites

Network access to MSM web interface
Device must be connected to a network reachable by the attacker
No valid credentials required

remotely exploitableno authentication requiredlow complexityhigh EPSS score (16.7%)no patch availableaffects industrial control

Exploitability

High exploit probability (EPSS 16.7%)

Affected products (1)

ProductAffected VersionsFix Status

MSM: <= 2.2.52.2.5No fix (EOL)

Remediation & Mitigation

0/5

Do now

0/2

HARDENINGDisconnect MSM from any internet-facing or untrusted networks; keep it on an isolated control network only

HARDENINGImplement network segmentation and firewall rules to restrict access to MSM to only authorized engineering workstations and control systems

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HARDENINGDeploy antivirus and endpoint protection software with current signature rules on all hosts running MMS Client application

HARDENINGEnable operating system user access controls to limit privilege escalation from MMS Client application to the underlying OS

Mitigations - no patch available

0/1

MSM: <= 2.2.5 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGApply CIS Microsoft Windows hardening benchmarks to all computers that connect to or manage MSM

CVEs (8)

CVE-2021-43298 CVE-2020-15688 CVE-2019-16645 CVE-2019-12822 CVE-2018-15504 CVE-2018-15505 CVE-2021-41615 CVE-2023-23916

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/e7644825-c4c4-49ab-83e0-2ff826c17c22