Hitachi Energy FOXMAN-UN

Act Now10ICS-CERT ICSA-25-014-01Jan 14, 2025

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Hitachi Energy FOXMAN-UN monitoring and control system contains multiple authentication bypass, input validation, certificate validation, and credential storage vulnerabilities (CWE-288, CWE-88, CWE-122, CWE-286, CWE-295, CWE-307, CWE-259, CWE-312). Successful exploitation allows an unauthenticated attacker to interact with services and bypass post-authentication protections.

What this means

What could happen

An unauthenticated attacker could bypass authentication mechanisms and gain unauthorized access to FOXMAN-UN, potentially allowing them to manipulate power system monitoring and control functions, disrupt operations, or alter system configurations.

Who's at risk

Energy utilities and grid operators who use Hitachi Energy FOXMAN-UN devices for power system monitoring and control. This affects R16A, R15A, and all versions older than R15A (end-of-life with no fixes available), as well as R16B and R15B product lines. Any electric utility or generation facility relying on FOXMAN-UN for operational visibility and automation is at risk.

How it could be exploited

An attacker on the network could send crafted requests to the FOXMAN-UN service ports to bypass authentication controls. Once past the initial authentication layer, they could exploit post-authentication vulnerabilities to interact with the monitoring and control system functions without valid credentials.

Prerequisites

Network access to FOXMAN-UN service ports
No valid credentials required for initial exploitation
Service must be reachable from attacker's network segment

remotely exploitableno authentication requiredlow complexityaffects power system control and monitoringno patch available for older versionsmultiple vulnerability types

Exploitability

Low exploit probability (EPSS 0.5%)

Affected products (7)

2 with fix2 pending3 EOL

ProductAffected VersionsFix Status

FOXMAN-UN R15AR15ANo fix (EOL)

FOXMAN-UN R16BR16BNo fix yet

FOXMAN-UN R15BR15BNo fix yet

FOXMAN-UN R16B PC2R16B PC2R16B PC3

FOXMAN-UN R15B PC4R15B PC4R15B PC5

FOXMAN-UN R16AR16ANo fix (EOL)

FOXMAN-UN older than R15A<R15ANo fix (EOL)

Remediation & Mitigation

0/7

Do now

0/2

WORKAROUNDConfigure DenyUsers directive for nemadm account in /etc/ssh/sshd_config on R16B and R15B to block SSH access

HARDENINGRestrict network access to FOXMAN-UN devices by implementing firewall rules to limit service port access to authorized operator workstations and control systems only

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

FOXMAN-UN R16B

HOTFIXUpdate FOXMAN-UN R16B PC2 to R16B PC3 or later

FOXMAN-UN R15B

HOTFIXUpdate FOXMAN-UN R15B PC4 to R15B PC5 (in development)

FOXMAN-UN R16A

HOTFIXMigrate FOXMAN-UN R16A, R15A, and older versions to supported releases (R16B PC4 or R15B PC5 when available)

Mitigations - no patch available

0/2

The following products have reached End of Life with no planned fix: FOXMAN-UN R15A, FOXMAN-UN R16A, FOXMAN-UN older than R15A. Apply the following compensating controls:

HARDENINGIsolate FOXMAN-UN systems from the internet and business network; place behind air-gap or next-generation firewall with strict ingress/egress rules

HARDENINGIf remote access is required, implement VPN with current version and strong authentication; verify VPN security posture

CVEs (8)

CVE-2024-28020 CVE-2024-28022 CVE-2024-28024 CVE-2024-2013 CVE-2024-2012 CVE-2024-2011 CVE-2024-28021 CVE-2024-28023

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/54614582-be56-41c7-ad43-273071e752b1