OTPulse
FeedAboutContact

Hitachi Energy XMC20

Monitor6.9ICS-CERT ICSA-25-063-04Mar 4, 2025
Attack VectorNetwork
Auth RequiredHigh
ComplexityLow
User InteractionNone needed
Summary

The vulnerability is a path traversal (zip slip) vulnerability in Hitachi Energy XMC20 that allows an attacker with administrator or engineering credentials to extract archive files outside their intended directory scope. This could result in unauthorized modification or access to system files and configuration data. The vulnerability affects XMC20 R15A, R15B, R16A, and R16B Revision C and earlier versions.

What this means
What could happen
An attacker with higher-level credentials could read or modify files outside the intended directory scope on the XMC20 system, potentially altering system configuration or accessing sensitive data.
Who's at risk
Energy utilities and transportation operators running Hitachi Energy XMC20 energy management systems should assess their deployments, particularly those still running R15A, R15B, or R16A versions that are out of support. Organizations relying on XMC20 for dispatch, monitoring, or control of generation, transmission, or distribution assets are affected.
How it could be exploited
An attacker with administrator or engineering credentials can craft a malicious archive file (zip slip vulnerability) that, when processed by XMC20, writes files to unintended directories on the system. This could allow modification of system files or configuration data used by the energy management platform.
Prerequisites
  • Administrator or engineering-level credentials on the XMC20 system
  • Ability to upload or introduce a specially crafted archive file to the XMC20
  • User interaction or automated process that extracts the malicious archive
Requires higher-level credentials (not unauthenticated)Path traversal / zip slip vulnerability classNo patches available for R15A, R15B, R16A (end-of-life)Affects integrity of system files and configurationEPSS score is low (0.2%)
Exploitability
Low exploit probability (EPSS 0.2%)
Affected products (4)
1 with fix3 EOL
ProductAffected VersionsFix Status
XMC20 R16B Revision C (cent2_r16b04_02, co5ne_r16b04_02) and older including all subversionsR16B Revision CR16B Revision D (cent2_r16b04_07, co5ne_r16b04_07)
XMC20 R15A and older including all subversions≤ R15ANo fix (EOL)
XMC20 R15BR15BNo fix (EOL)
XMC20 R16AR16ANo fix (EOL)
Remediation & Mitigation
0/6
Do now
0/2
WORKAROUNDImplement firewall rules to restrict access to XMC20 management interfaces to authorized engineering workstations only
WORKAROUNDDisable unnecessary file upload or import features on XMC20 if they are not required for operations
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate XMC20 R16B to Revision D (version cent2_r16b04_07 or co5ne_r16b04_07)
Mitigations - no patch available
0/3
The following products have reached End of Life with no planned fix: XMC20 R15A and older including all subversions, XMC20 R15B, XMC20 R16A. Apply the following compensating controls:
HARDENINGFor XMC20 R15A, R15B, and R16A: Plan migration to XMC20 R16B Revision D as end-of-life versions will not receive security patches
HARDENINGEnsure process control network is physically isolated from the Internet and separated from corporate networks by firewall
HARDENINGRestrict removable media and portable computer connections to the XMC20 network; scan for malware before use
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/99c7bef0-296c-4c9e-8962-d43e9264c9f4
Hitachi Energy XMC20 | CVSS 6.9 - OTPulse