Hitachi Energy XMC20

MonitorCVSS 6.9ICS-CERT ICSA-25-063-04Mar 4, 2025

Hitachi EnergyEnergyTransportation

Attack path

Attack VectorNetwork

Auth RequiredHigh

ComplexityLow

User InteractionNone needed

Summary

A path traversal vulnerability (Zip Slip) in Hitachi Energy XMC20 allows an authenticated attacker to access files or directories outside the authorized scope. XMC20 R16B Revision C and older R16B versions are affected and can be patched. XMC20 R15A, R15B, and R16A are end-of-life with no remediation planned; operators of these versions should migrate to R16B Revision D. The vulnerability has a CVSS score of 6.9 and requires administrative credentials to exploit.

What this means

What could happen

An attacker with administrative credentials could access files and directories outside the authorized scope on the XMC20 system, potentially reading sensitive configuration or operational data.

Who's at risk

Energy and transportation operators using Hitachi Energy XMC20 systems for substation or control center management. Particularly critical for those running older R15 or R16A versions (end-of-life with no patches) or R16B Revision C systems.

How it could be exploited

An attacker with valid administrative credentials could upload or manipulate files through the XMC20 interface to exploit a path traversal flaw (Zip Slip), allowing them to read arbitrary files on the system outside the intended directory scope.

Prerequisites

Valid administrative credentials for XMC20
Network access to the XMC20 web interface or management port
Ability to upload or manipulate file archives to the system

remotely exploitable (via network interface)requires administrative credentials (reduces risk but not zero)path traversal to arbitrary file accessaffects critical energy infrastructuresome versions have no vendor patch available

Exploitability

Unlikely to be exploited — EPSS score 0.2%

Affected products (4)

1 with fix3 EOL

ProductAffected VersionsFix Status

XMC20 R16B Revision C (cent2_r16b04_02, co5ne_r16b04_02) and older including all subversionsR16B Revision CR16B Revision D (cent2_r16b04_07, co5ne_r16b04_07)

XMC20 R15A and older including all subversions≤ R15ANo fix (EOL)

XMC20 R15BR15BNo fix (EOL)

XMC20 R16AR16ANo fix (EOL)

Remediation & Mitigation

0/5

Do now

0/1

WORKAROUNDRestrict network access to XMC20 management ports using firewall rules to only trusted administrative workstations

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

XMC20 R15B

HOTFIXUpdate XMC20 R15B systems to R16B Revision D (cent2_r16b04_07, co5ne_r16b04_07)

All products

HOTFIXUpdate XMC20 R16B Revision C systems to R16B Revision D (cent2_r16b04_07, co5ne_r16b04_07)

Mitigations - no patch available

0/2

The following products have reached End of Life with no planned fix: XMC20 R15A and older including all subversions, XMC20 R15B, XMC20 R16A. Apply the following compensating controls:

HARDENINGPlan migration of XMC20 R15A, R15B, and R16A systems off end-of-life versions to R16B Revision D due to no vendor patches available

HARDENINGImplement air-gapping or network segmentation to isolate XMC20 from direct Internet connections

CVEs (1)

CVE-2024-2461

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/99c7bef0-296c-4c9e-8962-d43e9264c9f4

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.