Hitachi Energy RTU500 Series Product (Update B)

Monitor7.2ICS-CERT ICSA-25-023-02Jan 23, 2025

Attack VectorNetwork

Auth RequiredHigh

ComplexityLow

User InteractionNone needed

Summary

CVE-2024-2617 is a vulnerability in the RTU500 Web server component that allows an attacker with high-privilege credentials to bypass secure update verification. This could enable installation of unauthorized firmware on the RTU500 Remote Terminal Unit. Affected firmware versions include 13.2.1 through 13.2.7, 13.4.1 through 13.4.4, and 13.5.1 through 13.5.3. The secure update feature, which protects against unauthorized firmware changes, is the mechanism being bypassed.

What this means

What could happen

An attacker with high-privilege access could bypass the secure update feature on RTU500 Remote Terminal Units, potentially allowing them to install unauthorized firmware that could disrupt grid operations or data integrity.

Who's at risk

Electric utility operators and grid control centers running Hitachi Energy RTU500 Remote Terminal Units. RTU500 devices are commonly used in distribution and transmission substations for telemetry, monitoring, and control. Any facility relying on RTU500 for remote operations should assess whether their devices are running the affected firmware versions.

How it could be exploited

An attacker with administrative or engineer credentials could access the RTU500 Web server and exploit the vulnerability to bypass the secure update verification. This allows installation of malicious or unsigned firmware versions that could alter control logic, disable safety functions, or cause operational disruption.

Prerequisites

High-privilege credentials (administrative or engineering role) for RTU500 Web server access
Network access to RTU500 Web server component
RTU500 running affected CMU Firmware versions (13.2.1-13.2.7, 13.4.1-13.4.4, or 13.5.1-13.5.3)

High-privilege access required but creates critical risk if credentials are compromisedAffects firmware update integrity—foundational control system security mechanismNo patch available for versions 13.2.1-13.2.7 and 13.4.1-13.4.4; only 13.5.x has a fix path

Exploitability

Low exploit probability (EPSS 0.0%)

Affected products (3)

3 pending

ProductAffected VersionsFix Status

RTU500 series CMU Firmware≥ 13.2.1, ≤ 13.2.7No fix yet

RTU500 series CMU Firmware≥ 13.4.1, ≤ 13.4.4No fix yet

RTU500 series CMU Firmware≥ 13.5.1, ≤ 13.5.3No fix yet

Remediation & Mitigation

0/6

Do now

0/1

HARDENINGEnable secure update feature on all RTU500 CMUs after patching

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate CMU Firmware to version 13.7.7 or latest

HOTFIXUpdate CMU Firmware to version 13.5.4 or latest

Long-term hardening

0/3

HARDENINGRestrict network access to RTU500 devices—ensure they are not directly accessible from the internet or untrusted networks

HARDENINGPlace RTU500 devices behind firewalls and isolate control system networks from business networks

HARDENINGUse VPN or other secure remote access methods if remote management is required; keep VPN software up to date

CVEs (1)

CVE-2024-2617

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/d9a5f75c-b452-4703-bca7-cd08ac4c09c1