Hitachi Energy AFF66x

Act Now9.6ICS-CERT ICSA-23-234-01Aug 22, 2023

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

The Hitachi Energy AFF660/665 power distribution controllers (firmware ≤03.0.02) contain multiple critical vulnerabilities in web interface validation, random number generation, DNS/NTP configuration, integer handling, and resource management. These allow an attacker to inject malicious code via cross-site scripting, bypass authentication, manipulate device configuration through DNS/NTP spoofing, cause integer overflows, or trigger denial of service. All vulnerabilities are remotely exploitable with no authentication required and low attack complexity.

What this means

What could happen

An attacker could remotely compromise the AFF660/665 power distribution controller, potentially disrupting power delivery, falsifying sensor data, or denying access to management functions on critical energy infrastructure.

Who's at risk

Electric utility operators, transmission and distribution system managers, and facilities with Hitachi Energy AFF660/665 power distribution controllers. These devices are widely deployed in electrical substations and distribution networks to manage power flow, monitor equipment health, and provide remote management capabilities.

How it could be exploited

An attacker on the network can send specially crafted requests to the device's web interface or management protocols. The vulnerabilities (including cross-site scripting, weak randomization, and improper DNS/NTP validation) require no authentication and low complexity to exploit, allowing the attacker to inject code, bypass security checks, or trigger a denial of service.

Prerequisites

Network access to the AFF660/665 device (typically TCP ports 80/443 for web interface or port 161 for SNMP)
Device running firmware version 03.0.02 or earlier

Remotely exploitableNo authentication requiredLow complexity attackHigh EPSS score (74.6%)No fix currently availableCritical severity (CVSS 9.6)

Exploitability

High exploit probability (EPSS 74.6%)

Affected products (1)

ProductAffected VersionsFix Status

AFF660/665: <= 03.0.02≤ 03.0.0204.6.01

Remediation & Mitigation

0/7

Do now

0/5

HOTFIXUpdate AFF660/665 firmware to version 04.6.01 when released by Hitachi Energy

WORKAROUNDDisable SNMP server on the device via CLI or web interface

HARDENINGConfigure only trusted DNS servers for the device to use

HARDENINGConfigure NTP with redundant, trustworthy time sources to prevent time-based attacks

HARDENINGRestrict management protocol access (TCP/IP-based management) to known trusted IP addresses via firewall or device ACLs

Long-term hardening

0/2

HARDENINGImplement network segmentation: isolate AFF660/665 devices from the internet and non-essential networks; allow only minimal exposed ports for required management

HARDENINGPhysically restrict unauthorized access to the device

CVEs (6)

CVE-2021-43523 CVE-2020-13817 CVE-2020-11868 CVE-2019-11477 CVE-2022-3204 CVE-2018-18066

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/fa02de50-5099-4eb8-bf70-2463c10c56a4