OTPulse

Hitachi Energy MicroSCADA Pro/X SYS600 (Update A)

Plan PatchCVSS 9.9ICS-CERT ICSA-24-331-04Nov 26, 2024
Hitachi EnergyEnergyManufacturing
Attack path
Attack VectorNetwork
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary

Multiple vulnerabilities (CVE-2024-4872, CVE-2024-3980, CVE-2024-3982, CVE-2024-7940, CVE-2024-7941) in Hitachi Energy MicroSCADA X SYS600 and MicroSCADA Pro SYS600 allow authenticated attackers to inject code into persistent data (CWE-943), manipulate the file system via path traversal (CWE-22), hijack user sessions (CWE-294, CWE-306), and perform phishing attacks (CWE-601). Affected versions: MicroSCADA X SYS600 versions 10.0–10.5, and MicroSCADA Pro SYS600 versions 9.4_FP2_HF1 through HF4. Successful exploitation could allow attackers to execute arbitrary code, modify configurations, or disrupt SCADA operations.

What this means
What could happen
An authenticated attacker could inject malicious code into the MicroSCADA system, manipulate files, hijack user sessions, or perform phishing attacks, compromising the integrity of SCADA operations and potentially allowing unauthorized control of critical energy infrastructure.
Who's at risk
Energy utilities and manufacturing facilities operating Hitachi Energy MicroSCADA X SYS600 (versions 10.0–10.5) or MicroSCADA Pro SYS600 (versions 9.4_FP2_HF1 through HF4). This affects SCADA systems used for generation monitoring, substation control, and process automation.
How it could be exploited
An attacker with valid credentials (or gained through phishing or credential theft) can access the MicroSCADA web interface and exploit path traversal, code injection, or session hijacking vulnerabilities to inject persistent code, modify system files, or steal session tokens. From there, the attacker could alter process configurations, setpoints, or control logic in SCADA applications running on the system.
Prerequisites
  • Valid MicroSCADA user credentials or ability to compromise them through phishing
  • Network access to the MicroSCADA X SYS600 or Pro SYS600 web interface (typically port 443 or application-specific ports)
  • System must be running affected version (MicroSCADA X 10.0–10.5 or MicroSCADA Pro 9.4_FP2_HF1 through HF4)
Remotely exploitableRequires valid credentials to exploitLow attack complexityCritical CVSS score (9.9)Affects SCADA system integrity and controlAllows persistent code injectionNo active exploitation reported but patches available
Exploitability
Unlikely to be exploited — EPSS score 0.7%
Affected products (5)
5 with fix
ProductAffected VersionsFix Status
MicroSCADA X SYS600≥ 10.0|<10.210.6
MicroSCADA X SYS600≥ 10.2|<10.510.6
MicroSCADA X SYS60010.510.6
MicroSCADA Pro SYS600≥ 9.4 FP2 HF1|<9.4 FP2 HF510.6
MicroSCADA Pro SYS6009.4 FP110.6
Remediation & Mitigation
0/7
Do now
0/3
WORKAROUNDRestrict network access to MicroSCADA web interface ports to authorized engineering workstations and administrative systems only using firewall rules
HARDENINGEnforce strong password policies and multifactor authentication (if supported) for all MicroSCADA user accounts
HARDENINGScan all portable computers and removable media with antivirus software before connecting to MicroSCADA systems
Schedule — requires maintenance window
0/3

Patching may require device reboot — plan for process interruption

MicroSCADA X SYS600
HOTFIXUpdate MicroSCADA X SYS600 versions 10.3, 10.4, or 10.5 to the respective January 2025 vulnerability patch (2025_01), or upgrade all systems to Version 10.6
HOTFIXUpdate MicroSCADA X SYS600 version 10.5 with CVE-2024-7941 patch to version 10.5 patch 2025_01 or upgrade to Version 10.6
MicroSCADA Pro SYS600
HOTFIXUpdate MicroSCADA Pro SYS600 to Patch 9.4 FP2 HF6 (ensure all previous FP2 hotfixes are installed first)
Long-term hardening
0/1
HARDENINGIsolate MicroSCADA systems from the general corporate network and the Internet; ensure they sit behind a firewall with minimal exposed ports
View full CISA ICS-CERT advisory
API: /api/v1/advisories/efc82865-88de-47ef-b69e-ed0bed5a47a6

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.