Hitachi Energy UNEM/ECST
Monitor6.8ICS-CERT ICSA-25-063-05Mar 4, 2025
Attack VectorPhysical
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary
This vulnerability is an SSH host key verification flaw in Hitachi Energy's UNEM and ECST products. Successful exploitation allows attackers on the local network to intercept or falsify data exchanges between the client and server through a man-in-the-middle attack. The vulnerability affects UNEM versions R15A through R16B PC2, XMC20 versions prior to R16B, and ECST versions prior to 16.2.1. Hitachi Energy has released fixed versions for most products but will not provide patches for end-of-life UNEM R15A and R16A installations. Users of R16A systems are entitled to upgrade to UNEM R16B.
What this means
What could happen
An attacker with physical or local network access could intercept or falsify data exchanged between UNEM/ECST engineering workstations and control servers, potentially allowing tampering with configuration or monitoring data.
Who's at risk
Owners of Hitachi Energy UNEM and ECST systems used in energy generation and manufacturing facilities should care about this issue. It affects engineering workstations and control servers that manage generation facilities, substations, or industrial automation equipment where configuration and real-time data exchange is critical.
How it could be exploited
An attacker on the same local network or with physical access to the network can perform a man-in-the-middle attack to intercept the SSH session between a client and UNEM/ECST server. The vulnerability stems from inadequate SSH host key verification, allowing the attacker to decrypt, read, or modify the data in transit without detection.
Prerequisites
- Local or same-network access to the communication path between UNEM/ECST client and server
- SSH session initiated between client and server
- No requirement for credentials to intercept the connection
No authentication required to intercept connectionLow complexity attackLocal network access required (not remotely exploitable)End-of-life versions with no fix availableSSH key verification bypass
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (7)
4 with fix1 pending2 EOL
ProductAffected VersionsFix Status
ECST less than 16.2.1<16.2.116.2.1
UNEM older than R15A<R15ANo fix yet
UNEM R16B PC2 and earlier≤ R16B PC2R16B_PC3
UNEM R15B PC4 or prior≤ R15B PC4R15B_PC5
UNEM R16AR16ANo fix (EOL)
UNEM R15AR15ANo fix (EOL)
XMC20 less than R16B<R16BR16B
Remediation & Mitigation
0/9
Do now
0/1WORKAROUNDRestrict network access to UNEM/ECST systems using firewall rules; only allow SSH connections from authorized engineering workstations
Schedule — requires maintenance window
0/6Patching may require device reboot — plan for process interruption
UNEM R16A
HOTFIXFor end-of-life UNEM R16A installations, migrate to UNEM R16B to receive security updates
UNEM R15A
HOTFIXFor end-of-life UNEM R15A installations, evaluate migration to R15B PC5 or R16B as appropriate
All products
HOTFIXUpdate UNEM R16B to version PC3 or later
HOTFIXUpdate UNEM R15B to version PC5 or later
HOTFIXUpdate XMC20 to version R16B or later
HOTFIXUpdate ECST to version 16.2.1 or later
Mitigations - no patch available
0/2The following products have reached End of Life with no planned fix: UNEM R16A, UNEM R15A. Apply the following compensating controls:
HARDENINGImplement network segmentation to isolate process control systems from general office networks and the Internet
HARDENINGDisable direct Internet connections and ensure no direct connectivity between process control networks and external networks
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/2dbeb351-6159-47e3-aab8-f4d22d809823