Hitachi Energy FOX61x, FOXCST, and FOXMAN-UN Products

MonitorCVSS 4.9ICS-CERT ICSA-25-016-06Jan 16, 2025

Hitachi EnergyEnergyManufacturing

Attack path

Attack VectorPhysical

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

Hitachi Energy FOXMAN-UN, FOX61x, and FOXCST products contain a certificate validation weakness (CWE-297) that could allow an attacker on the same network or with physical access to intercept or falsify data exchanged between the client and server. This affects configuration and management of energy control systems. The vulnerability is not remotely exploitable and requires network proximity or physical access to the communication path. Affected versions: FOXMAN-UN R16B PC2 and earlier, R15B and earlier, FOX61x less than R16B, and FOXCST less than 16.2.1. End-of-life versions (FOXMAN-UN R16A, R15A, and older) will not receive patches.

What this means

What could happen

An attacker with physical access or ability to intercept network traffic could forge or modify data exchanged between the FOXMAN-UN client and server, potentially altering process data or system commands without detection.

Who's at risk

Energy and manufacturing organizations using Hitachi Energy FOXMAN-UN (R15A and later), FOX61x, or FOXCST products for control system configuration and management should prioritize patching. EOL versions (R15A and earlier, R16A) cannot be patched and require migration planning.

How it could be exploited

The vulnerability exists in the certificate or TLS validation mechanism used for client-server communication. An attacker on the same network segment, or with physical access to the cable infrastructure, could intercept unencrypted or improperly validated connections and inject false data into FOXMAN-UN operations.

Prerequisites

Network access to the FOXMAN-UN client-server communication path
Physical proximity to network cable or network segment where FOXMAN-UN communicates
No user interaction required for data interception

No authentication required for data interceptionLow attack complexityAffects integrity of control system data exchangesMultiple products with no patch available (end-of-life versions)

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (7)

4 with fix3 EOL

ProductAffected VersionsFix Status

FOXMAN-UN R16B PC2 and earlier≤ R16B PC2R16B PC3+

FOXMAN-UN R15B or prior≤ R15B PC4R15B PC5

FOXMAN-UN R16AR16ANo fix (EOL)

FOXMAN-UN R15AR15ANo fix (EOL)

FOXMAN-UN older than R15A<R15ANo fix (EOL)

FOX61x less than R16B<R16BR16B

FOXCST less than 16.2.1<16.2.116.2.1

Remediation & Mitigation

0/7

Do now

0/1

WORKAROUNDRestrict network access to FOXMAN-UN ports to authorized clients only using firewall rules

Schedule — requires maintenance window

0/4

Patching may require device reboot — plan for process interruption

FOXMAN-UN R15B or prior

HOTFIXUpdate FOXMAN-UN R15B or prior to R15B PC5

All products

HOTFIXUpdate FOXMAN-UN R16B to PC3 or later

HOTFIXUpdate FOX61x to R16B or later

HOTFIXUpdate FOXCST to version 16.2.1 or later

Mitigations - no patch available

0/2

The following products have reached End of Life with no planned fix: FOXMAN-UN R16A, FOXMAN-UN R15A, FOXMAN-UN older than R15A. Apply the following compensating controls:

HARDENINGFor EOL versions (FOXMAN-UN R16A, R15A, or older than R15A), plan migration to FOXMAN-UN R16B PC4 or R15B PC5

HARDENINGIsolate FOXMAN-UN client-server connections from the business network using a separate industrial network or VLAN

CVEs (1)

CVE-2024-2462

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/72bdd9e4-abde-466c-9868-8eb7333953d9

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.