Hitachi Energy RTU500 Series

Plan Patch8.2ICS-CERT ICSA-25-128-02May 8, 2025

Attack VectorNetwork

Auth RequiredHigh

ComplexityLow

User InteractionNone needed

Summary

Hitachi Energy RTU500 series CMU Firmware versions 12.0.1 through 13.4.3 contain cross-site scripting (XSS) and denial-of-service vulnerabilities in the web management interface. An attacker with high-privilege network credentials can inject malicious scripts or craft requests to cause the device to become unresponsive, disrupting operator access and situational awareness. The vulnerabilities require high-privilege credentials and knowledge of the web interface, but could enable persistent access or operational disruption if the device is accessible from untrusted networks.

What this means

What could happen

An attacker with high-level network access could inject malicious scripts into the RTU500 web interface or trigger a denial-of-service condition, potentially disrupting operator access to the device during critical grid or manufacturing operations.

Who's at risk

Energy utilities and manufacturing plants operating Hitachi Energy RTU500 series remote terminal units. These devices are used for substation automation, distribution management, and process control. Any site with RTU500 CMU Firmware versions 12.0.1 through 13.4.3 (specific version ranges listed) should prioritize assessment and patching.

How it could be exploited

An attacker with administrative or high-privilege credentials and network access to the RTU500 CMU (Control and Monitoring Unit) web interface can inject malicious scripts (XSS) that execute in the browsers of other operators, or send crafted requests to trigger a denial-of-service condition that makes the device unresponsive.

Prerequisites

High-privilege credentials for the RTU500 device (PR:H per CVSS vector)
Network access to the RTU500 CMU web interface (port typically 80/443)
Operator or engineer must interact with the web interface for XSS payload to execute

Remotely exploitable (network access to web interface)Requires high-privilege credentials (not unauthenticated)Low attack complexityAffects availability and confidentialityDoS can disrupt operator visibility during operations

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (1)

ProductAffected VersionsFix Status

RTU500 series CMU Firmware≥ 12.0.1|≤ 12.0.14; ≥ 12.2.1|≤ 12.2.11; ≥ 12.4.1|≤ 12.4.11 and 4 moreNo fix yet

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDRestrict network access to RTU500 CMU web interface to authorized management networks and engineering workstations only; implement firewall rules to block external access

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate RTU500 CMU Firmware to patched version: 12.0.15, 12.2.12, 12.4.12, 12.6.10, 12.7.7, 13.2.7, or 13.4.4/13.5.1 depending on current version

Long-term hardening

0/2

HARDENINGIsolate RTU500 devices on a dedicated control network segment physically or logically separated from corporate IT networks

HARDENINGIf remote access to RTU500 is required, enforce VPN connectivity with current security patches and multi-factor authentication for privileged access

CVEs (3)

CVE-2023-5767 CVE-2023-5768 CVE-2023-5769

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/2757da27-1e2d-4ed7-9430-e4dbeea7eedf