Multiple Vulnerabilities in Hitachi Energy RTU500 Series

Plan PatchCVSS 8.2ICS-CERT ICSA-24-116-01Apr 25, 2024

Hitachi EnergyEnergy

Attack path

Summary

Hitachi Energy RTU500 series CMU firmware contains an unsafe file upload vulnerability (CWE-434) that allows authenticated attackers to upload or transfer files of dangerous types that are automatically processed by the device. Affected firmware versions include 12.0.1–12.0.14, 12.2.1–12.2.11, 12.4.1–12.4.11, 12.6.1–12.6.9, 12.7.1–12.7.6, 13.2.1–13.2.6, 13.4.1–13.4.4, and 13.5.1–13.5.3. Hitachi Energy has released patches only for versions 12.7.1–12.7.6 (update to 12.7.7) and 13.2.1–13.2.6 (update to 13.2.7). For other affected versions, the vendor recommends network segmentation, firewall rules, physical access controls, and other compensating controls.

What this means

What could happen

An attacker with engineering access to the RTU500 could upload malicious files that the device automatically processes, potentially allowing execution of arbitrary code that could alter control logic, change setpoints, or disrupt critical power grid operations.

Who's at risk

Energy utilities and power generation facilities operating Hitachi Energy RTU500 series Remote Terminal Units should care about this vulnerability. RTU500 devices are used in substation automation and power distribution control. All versions of RTU500 CMU firmware from 12.0.1 through 13.5.3 are affected, with only two version branches (12.7 and 13.2) having patches available.

How it could be exploited

An attacker must gain network access to the RTU500 CMU and authenticate with valid engineering credentials. Once authenticated, they can exploit the unsafe file upload mechanism to transfer executable or script files that the device will automatically process, leading to code execution with the same privileges as the device.

Prerequisites

Network access to RTU500 CMU management interface (port/protocol details not specified in advisory)
Valid engineering or maintenance credentials for the CMU
Knowledge of the file types the device will automatically process

Requires valid engineering credentials (high barrier to entry)Network-accessible management interfaceLow complexity exploitation once authenticatedNo patches available for 6 of 8 affected firmware branchesAffects critical energy sector infrastructureUnsafe file upload processing could lead to code execution

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (8)

8 pending

ProductAffected VersionsFix Status

RTU500 series CMU Firmware: >=12.0.1|<=12.0.14≥ 12.0.1|≤ 12.0.14No fix yet

RTU500 series CMU Firmware: >=12.2.1|<=12.2.11≥ 12.2.1|≤ 12.2.11No fix yet

RTU500 series CMU Firmware: >=12.4.1|<=12.4.11≥ 12.4.1|≤ 12.4.11No fix yet

RTU500 series CMU Firmware: >=12.6.1|<=12.6.9≥ 12.6.1|≤ 12.6.9No fix yet

RTU500 series CMU Firmware: >=12.7.1|<=12.7.6≥ 12.7.1|≤ 12.7.6No fix yet

RTU500 series CMU Firmware: >=13.2.1|<=13.2.6≥ 13.2.1|≤ 13.2.6No fix yet

RTU500 series CMU Firmware: >=13.4.1|<=13.4.4≥ 13.4.1|≤ 13.4.4No fix yet

RTU500 series CMU Firmware: >=13.5.1|<=13.5.3≥ 13.5.1|≤ 13.5.3No fix yet

Remediation & Mitigation

0/7

Do now

0/2

WORKAROUNDFor affected versions without patches (12.0.1–12.0.14, 12.2.1–12.2.11, 12.4.1–12.4.11, 12.6.1–12.6.9, 13.4.1–13.4.4, 13.5.1–13.5.3), restrict network access to the RTU500 CMU management interface using firewall rules allowing only authorized engineering workstations

WORKAROUNDDisable or restrict the file upload/transfer functionality on the RTU500 CMU if it is not required for normal operations

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate RTU500 series CMU Firmware to version 12.7.7 if currently running version 12.7.1–12.7.6

HOTFIXUpdate RTU500 series CMU Firmware to version 13.2.7 if currently running version 13.2.1–13.2.6

Long-term hardening

0/3

HARDENINGPhysically protect RTU500 devices from unauthorized access and prevent direct Internet connections

HARDENINGImplement network segmentation to isolate process control systems (including RTU500) from corporate networks and external access using firewall rules with minimal exposed ports

HARDENINGScan portable computers and removable storage media for malware before connecting them to the RTU500 or control system network

CVEs (2)

CVE-2024-1531 CVE-2024-1532

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/20f1097f-6d23-4f54-bf3a-0a08700e7668

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.