Hitachi Energy UNEM/ECST

MonitorCVSS 6.8ICS-CERT ICSA-25-063-05Mar 4, 2025

Hitachi EnergyEnergyManufacturing

Attack path

Attack VectorPhysical

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

SSH host key verification vulnerability in Hitachi Energy UNEM/ECST and XMC20 products. The vulnerability allows attackers to intercept or falsify data exchanges between client and server. CWE-297 (Improper Validation of Certificate with Host Mismatch). Not remotely exploitable; requires physical or direct network access.

What this means

What could happen

An attacker with direct network access or ability to perform a man-in-the-middle attack could intercept communications between engineering workstations and control servers, potentially allowing them to read sensitive data or inject false commands into the control system.

Who's at risk

This affects energy sector operators and manufacturing facilities using Hitachi Energy's network management and control station software (UNEM, ECST) and the XMC20 engineering tool. Particularly relevant to utilities and industrial plants managing power systems, distribution networks, and process control infrastructure.

How it could be exploited

The attacker must be on the same network segment as the UNEM/ECST/XMC20 system (not remotely exploitable from the Internet). They intercept the SSH connection between client and server, exploiting the lack of proper host key verification to perform a man-in-the-middle attack and either capture data or inject commands.

Prerequisites

Direct network access to the control system (same network segment)
Ability to position between client and server (ARP spoofing, network tap, or compromised network device)
Client initiating SSH connection to the affected server

No authentication required for the vulnerability itselfLow complexity attackAffects SCADA/network management systemsMultiple product versions EOL without fix available

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (7)

4 with fix1 pending2 EOL

ProductAffected VersionsFix Status

ECST less than 16.2.1<16.2.116.2.1

UNEM older than R15A<R15ANo fix yet

UNEM R16B PC2 and earlier≤ R16B PC2R16B_PC3

UNEM R15B PC4 or prior≤ R15B PC4R15B_PC5

UNEM R16AR16ANo fix (EOL)

UNEM R15AR15ANo fix (EOL)

XMC20 less than R16B<R16BR16B

Remediation & Mitigation

0/8

Do now

0/1

WORKAROUNDImplement firewall rules to restrict SSH access to these systems from only authorized engineering workstations and networks

Schedule — requires maintenance window

0/4

Patching may require device reboot — plan for process interruption

HOTFIXUpdate UNEM R16B to PC3 or later

HOTFIXUpdate UNEM R15B to PC5 or later (when update becomes available)

HOTFIXUpdate ECST to version 16.2.1 or later

HOTFIXUpdate XMC20 to R16B or later

Mitigations - no patch available

0/3

The following products have reached End of Life with no planned fix: UNEM R16A, UNEM R15A. Apply the following compensating controls:

HARDENINGFor EOL versions (UNEM R16A, R15A) with no fix available, migrate to UNEM R16B or later (R16A users are entitled to free upgrade to R16B)

HARDENINGSegment the control system network from the corporate IT network using a firewall with minimal exposed ports

HARDENINGRestrict physical access to process control systems and network infrastructure to authorized personnel only

CVEs (1)

CVE-2024-2462

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/2dbeb351-6159-47e3-aab8-f4d22d809823

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.