Hitachi Energy RTU500 Series Product (Update B)

MonitorCVSS 7.2ICS-CERT ICSA-25-023-02Jan 23, 2025

Hitachi EnergyEnergy

Attack path

Attack VectorNetwork

Auth RequiredHigh

ComplexityLow

User InteractionNone needed

Summary

CVE-2024-2617 is a secure update bypass vulnerability in the Hitachi Energy RTU500 Web server component. An attacker with high-privilege credentials could bypass secure update verification and install unsigned firmware. Affected firmware versions: 13.2.1–13.2.7, 13.4.1–13.4.4, and 13.5.1–13.5.3. Fixes are available: update to CMU Firmware 13.7.7 or later (for 13.2.x and 13.4.x branches) or 13.5.4 or later (for 13.5.x branch) and enable the secure update feature.

What this means

What could happen

An attacker with high-level privileges on the RTU500 could bypass secure update verification, allowing installation of unsigned or malicious firmware. This could compromise the integrity of the remote terminal unit, potentially disrupting monitoring and control of power grid operations.

Who's at risk

Energy utilities operating Hitachi Energy RTU500 series remote terminal units, particularly those managing substation monitoring and control in power distribution and transmission networks.

How it could be exploited

An attacker with high-privilege credentials (engineering or administrative access) on the RTU500 CMU (Control and Monitoring Unit) could manipulate the secure update process by exploiting the Web server vulnerability, bypassing signature verification and uploading malicious firmware without detection.

Prerequisites

High-privilege administrative or engineering credentials on the RTU500
Network access to the RTU500 Web server component
Access to the firmware update interface

High-privilege access requiredaffects critical power infrastructure control devicebypass of firmware integrity verification mechanism

Exploitability

Unlikely to be exploited — EPSS score 0.0%

Affected products (3)

3 pending

ProductAffected VersionsFix Status

RTU500 series CMU Firmware≥ 13.2.1, ≤ 13.2.7No fix yet

RTU500 series CMU Firmware≥ 13.4.1, ≤ 13.4.4No fix yet

RTU500 series CMU Firmware≥ 13.5.1, ≤ 13.5.3No fix yet

Remediation & Mitigation

0/5

Do now

0/1

WORKAROUNDRestrict network access to RTU500 Web server to authorized engineering workstations only via firewall rules

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpdate RTU500 CMU Firmware to version 13.7.7 or latest

HOTFIXUpdate RTU500 CMU Firmware to version 13.5.4 or latest (if on 13.5.x branch)

HARDENINGEnable secure update feature on all CMUs in RTU500 units after patching

Long-term hardening

0/1

HARDENINGSegment RTU500 devices behind firewall, isolate from business networks and internet

CVEs (1)

CVE-2024-2617

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/d9a5f75c-b452-4703-bca7-cd08ac4c09c1

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.