Hitachi Energy FOX61x, FOXCST, and FOXMAN-UN Products
Monitor4.9ICS-CERT ICSA-25-016-06Jan 16, 2025
Attack VectorPhysical
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary
A certificate validation vulnerability (CWE-297) in Hitachi Energy FOX61x, FOXCST, and FOXMAN-UN products could allow an attacker with physical proximity and user interaction to intercept or falsify data exchanges between client and server. The vulnerability affects multiple product versions and requires user interaction to exploit.
What this means
What could happen
An attacker could intercept or alter data communications between engineering workstations and these Hitachi Energy devices, potentially allowing them to change process parameters, falsify readings, or disrupt normal operations without detection.
Who's at risk
This affects energy utilities and manufacturing facilities using Hitachi Energy remote terminal units and automation software. Specifically, operators, engineers, and technicians who use FOX61x hardware, FOXCST configuration software, and FOXMAN-UN management systems for monitoring and controlling substations, power distribution, or industrial processes.
How it could be exploited
An attacker with physical access or presence on the local network (Man-in-the-Middle position) exploits improper certificate validation to intercept communications between a client and server. The attacker tricks a user into accepting a fraudulent certificate, after which data exchanges can be viewed or modified.
Prerequisites
- Physical proximity to network or position on the same network segment as the device
- User interaction required to accept or validate a certificate
- Direct line-of-sight to network traffic or ability to conduct man-in-the-middle attack on the local network
low complexity attackuser interaction requiredno patch available for older versionsaffects remote management communicationscertificate validation bypass
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (7)
4 with fix3 EOL
ProductAffected VersionsFix Status
FOXMAN-UN R16B PC2 and earlier≤ R16B PC2R16B PC3 or later
FOXMAN-UN R15B or prior≤ R15B PC4R15B PC5
FOXMAN-UN R16AR16ANo fix (EOL)
FOXMAN-UN R15AR15ANo fix (EOL)
FOXMAN-UN older than R15A<R15ANo fix (EOL)
FOX61x less than R16B<R16BR16B
FOXCST less than 16.2.1<16.2.116.2.1
Remediation & Mitigation
0/8
Do now
0/2HARDENINGIsolate all FOX61x, FOXCST, and FOXMAN-UN systems from the Internet and place behind firewalls
WORKAROUNDFor required remote access to these systems, mandate use of a VPN with up-to-date software and strong credentials
Schedule — requires maintenance window
0/5Patching may require device reboot — plan for process interruption
FOXMAN-UN R15B or prior
HOTFIXUpdate FOXMAN-UN R15B or prior to R15B PC5 or later
All products
HOTFIXUpdate FOXMAN-UN R16B PC2 or earlier to R16B PC3 or later
HOTFIXFor end-of-life FOXMAN-UN versions (R16A, R15A, or older than R15A), retire and replace with FOXMAN-UN R16B PC4 or R15B PC5
HOTFIXUpdate FOX61x devices to firmware version R16B or later
HOTFIXUpdate FOXCST software to version 16.2.1 or later
Mitigations - no patch available
0/1The following products have reached End of Life with no planned fix: FOXMAN-UN R16A, FOXMAN-UN R15A, FOXMAN-UN older than R15A. Apply the following compensating controls:
HARDENINGSegment control system networks from business networks to prevent lateral movement from office IT systems
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/72bdd9e4-abde-466c-9868-8eb7333953d9