Hitachi Energy UNEM

Act Now10ICS-CERT ICSA-25-030-01Jan 30, 2025

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Hitachi Energy UNEM contains multiple critical vulnerabilities in authentication (CWE-288), command injection (CWE-88), buffer overflow (CWE-122), certificate validation (CWE-295), hardcoded credentials (CWE-259), and other issues that allow remote attackers without credentials to execute arbitrary code, cause denial of service, access sensitive data, or run unintended commands. The vulnerabilities affect UNEM R16A, R15A, and all versions older than R15A (end-of-life with no remediation available), as well as UNEM R16B PC2 and R15B PC4.

What this means

What could happen

An attacker with network access to a UNEM device could execute arbitrary code, trigger denial of service, run unintended commands, or steal sensitive information. This could disrupt electricity distribution, energy market operations, or industrial manufacturing processes.

Who's at risk

Energy utilities running Hitachi Energy UNEM systems for electricity market operations and distribution control should be concerned. Manufacturing facilities using UNEM for process control also need to assess impact. All versions from R15A and earlier are end-of-life with no available patches; R16B PC2 and R15B PC4 have patches available or in development.

How it could be exploited

An attacker on the network containing a UNEM device can exploit multiple authentication, input validation, and cryptography flaws (CWE-288, CWE-88, CWE-122, CWE-295) to gain unauthorized access without credentials and execute arbitrary commands or code on the device.

Prerequisites

Network access to the UNEM device or port
No valid credentials required
Device must be reachable from attacker's network position

remotely exploitableno authentication requiredlow complexity attackaffects critical energy infrastructuremultiple authentication and cryptography flawsmost versions are end-of-life with no patch available

Exploitability

Low exploit probability (EPSS 0.5%)

Affected products (7)

2 with fix2 pending3 EOL

ProductAffected VersionsFix Status

UNEM R16BR16BNo fix yet

UNEM R15BR15BNo fix yet

UNEM R16B PC2R16B PC2R16B PC3 or later (R16B PC4 recommended)

UNEM R15B PC4R15B PC4R15B PC5 (under development)

UNEM R16AR16ANo fix (EOL)

UNEM R15AR15ANo fix (EOL)

UNEM older than R15A<R15ANo fix (EOL)

Remediation & Mitigation

0/8

Do now

0/2

WORKAROUNDConfigure DenyUsers nemadm in /etc/ssh/sshd_config to block SSH access for the nemadm account

HARDENINGImplement network firewall rules to restrict access to UNEM devices to only authorized management networks and block untrusted traffic

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

UNEM R16B

HOTFIXUNEM R16B PC2: Update to UNEM R16B PC3 or later (UNEM R16B PC4 recommended)

HOTFIXUNEM R16A, R15A, or older than R15A: End-of-life versions with no patch available. Migrate to supported version UNEM R16B PC4 or R15B PC5

UNEM R15B

HOTFIXUNEM R15B PC4: Update to UNEM R15B PC5 when available

Mitigations - no patch available

0/3

The following products have reached End of Life with no planned fix: UNEM R16A, UNEM R15A, UNEM older than R15A. Apply the following compensating controls:

HARDENINGIsolate process control systems from the Internet and other networks using a firewall with minimal exposed ports

HARDENINGIf remote access is required, deploy a VPN and ensure it is kept up-to-date

HARDENINGScan all portable computers and removable storage media for malware before connecting to process control systems

CVEs (8)

CVE-2024-28022 CVE-2024-28024 CVE-2024-28020 CVE-2024-2013 CVE-2024-2012 CVE-2024-2011 CVE-2024-28021 CVE-2024-28023

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/e74be3b6-1ce3-404b-944b-f88fa294e2cd