Hitachi Energy FOXMAN-UN

Plan PatchCVSS 10ICS-CERT ICSA-25-014-01Jan 14, 2025

Hitachi EnergyEnergy

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Hitachi Energy FOXMAN-UN contains multiple authentication and cryptographic weaknesses (CWE-288, CWE-286, CWE-295, CWE-307, CWE-259) that allow an unauthenticated attacker on the network to bypass authentication mechanisms and access the system's services and administrative functions. Affected versions include R16A, R15A, older than R15A (end-of-life with no fixes planned), R16B, R15B, R16B PC2, and R15B PC4. The vulnerabilities span authentication bypass, weak credential handling, insufficient input validation, and plaintext credential storage.

What this means

What could happen

An unauthenticated attacker on the network could bypass authentication and interact with FOXMAN-UN's services, potentially executing commands or modifying configuration on this energy management system without credentials.

Who's at risk

Energy utilities and operators managing power systems using Hitachi Energy FOXMAN-UN network management software, particularly those running R15A, R15B, R16A, R16B versions. End-of-life versions (R15A, R16A, and older) will not receive patches.

How it could be exploited

An attacker on the network can connect to FOXMAN-UN without providing valid credentials and access the service interface. By exploiting authentication bypass and weak credential handling vulnerabilities, the attacker can then perform administrative actions on the system.

Prerequisites

Network access to FOXMAN-UN device or service ports
No authentication credentials required

remotely exploitableno authentication requiredlow complexitymultiple authentication bypass weaknessescritical CVSS score 10.0energy sector control systemno fix available for older versions

Exploitability

Unlikely to be exploited — EPSS score 0.5%

Affected products (7)

2 with fix2 pending3 EOL

ProductAffected VersionsFix Status

FOXMAN-UN R15AR15ANo fix (EOL)

FOXMAN-UN R16BR16BNo fix yet

FOXMAN-UN R15BR15BNo fix yet

FOXMAN-UN R16B PC2R16B PC2R16B PC3

FOXMAN-UN R15B PC4R15B PC4R15B PC5

FOXMAN-UN R16AR16ANo fix (EOL)

FOXMAN-UN older than R15A<R15ANo fix (EOL)

Remediation & Mitigation

0/5

Do now

0/1

FOXMAN-UN R16B

WORKAROUNDFor FOXMAN-UN R16B and R15B: Restrict SSH access by adding 'DenyUsers nemadm' to /etc/ssh/sshd_config and reload SSH service

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

FOXMAN-UN R16B

HOTFIXUpdate FOXMAN-UN R16B PC2 to R16B PC3 or later (R16B PC4 recommended)

FOXMAN-UN R15B

HOTFIXUpdate FOXMAN-UN R15B PC4 to R15B PC5 when available

Mitigations - no patch available

0/2

The following products have reached End of Life with no planned fix: FOXMAN-UN R15A, FOXMAN-UN R16A, FOXMAN-UN older than R15A. Apply the following compensating controls:

HARDENINGPlace FOXMAN-UN systems behind a firewall and isolate from the business network; do not expose to the internet

HARDENINGIf remote access to FOXMAN-UN is required, implement a VPN with the most recent available version

CVEs (8)

CVE-2024-28020 CVE-2024-28022 CVE-2024-28024 CVE-2024-2013 CVE-2024-2012 CVE-2024-2011 CVE-2024-28021 CVE-2024-28023

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/54614582-be56-41c7-ad43-273071e752b1

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.