Hitachi Energy RTU500 Series (Update B)

Plan Patch8.7ICS-CERT ICSA-25-093-01Apr 3, 2025

Attack VectorNetwork

Auth RequiredHigh

ComplexityHigh

User InteractionNone needed

Summary

Multiple denial-of-service vulnerabilities exist in Hitachi Energy RTU500 series CMU (Communications Management Unit) firmware. The vulnerabilities result from null pointer dereference (CWE-476), improper resource initialization (CWE-410), and improper resource validation (CWE-820). Exploitation requires network access to the CMU management interface and high-level administrator privileges. Successful exploitation causes the CMU process to become unresponsive, preventing legitimate monitoring and control operations. Affected firmware versions include 12.0.1–12.0.14, 12.2.1–12.2.12, 12.4.1–12.4.11, 12.6.1–12.6.10, 12.7.1–12.7.7, 13.2.1–13.2.7, 13.4.1–13.4.4, 13.5.1–13.5.3, 13.6.1, and 13.7.1–13.7.4. No active exploitation has been reported.

What this means

What could happen

An attacker with high privileges and network access could trigger a denial-of-service condition on RTU500 remote terminal units, causing them to become unresponsive and interrupting real-time monitoring and control of electrical distribution assets.

Who's at risk

Operators of electrical distribution and transmission systems using Hitachi Energy RTU500 series remote terminal units should prioritize this vulnerability. RTU500s are critical for real-time monitoring and control in substations and remote generation/transmission points; a denial-of-service attack would blind operators to network status and prevent remote control actions.

How it could be exploited

An attacker must first gain network access to the RTU500 CMU (Communications Management Unit) and possess high-level administrative privileges. They would then send a specially crafted request to trigger one of the vulnerability conditions (null pointer dereference, timing issues, or memory handling flaws), causing the CMU process to crash or hang and become unresponsive to legitimate control commands.

Prerequisites

Network access to RTU500 CMU management interface
High-level administrative or operator credentials
Knowledge of vulnerable firmware versions in your fleet
Ability to craft network requests to the CMU

remotely exploitablehigh privilege requirement reduces likelihoodlow exploit probability (EPSS 0.3%)affects critical grid monitoring and control infrastructurerequires maintenance window for patchingmultiple versions affected across firmware releases

Exploitability

Low exploit probability (EPSS 0.3%)

Affected products (1)

ProductAffected VersionsFix Status

RTU500 series CMU Firmware≥ 12.0.1, ≤ 12.0.14; ≥ 12.2.1, ≤ 12.2.12; ≥ 12.4.1, ≤ 12.4.11 and 7 more12.7.8

Remediation & Mitigation

0/5

Do now

0/1

WORKAROUNDRestrict network access to RTU500 CMU management interface using firewall rules; only allow connections from authorized engineering workstations and control center systems on specific ports

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate RTU500 CMU firmware: versions 12.0.1–12.0.14, 12.2.1–12.2.12, 12.4.1–12.4.11, 12.6.1–12.6.10, and 12.7.1–12.7.7 to version 12.7.8; versions 13.2.1–13.2.7, 13.4.1–13.4.4, 13.5.1–13.5.3, and 13.6.1 to version 13.7.7; version 13.5.1–13.5.3 can also update to 13.5.4; version 13.6.1 to 13.6.3; versions 13.7.1–13.7.4 to 13.7.7

Long-term hardening

0/3

HARDENINGImplement network segmentation to isolate process control systems from corporate networks and the internet; place RTU500 units behind firewalls with minimal exposed ports

HARDENINGEnforce strong authentication and access controls on RTU500 CMU; ensure only authorized personnel with engineering credentials can connect to management interfaces

HARDENINGScan portable computers and removable media for malware before connecting to RTU500 systems; prohibit direct internet access and email use on control system workstations

CVEs (4)

CVE-2024-10037 CVE-2024-11499 CVE-2024-12169 CVE-2025-1445

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/cd0a8615-01e6-4beb-9d6e-0d88b247211b