Hitachi Energy RTU500 Series

Plan PatchCVSS 8.2ICS-CERT ICSA-25-128-02May 8, 2025

Hitachi EnergyEnergyManufacturing

Attack path

Attack VectorNetwork

Auth RequiredHigh

ComplexityLow

User InteractionNone needed

Summary

Hitachi Energy RTU500 series CMU Firmware versions 12.0.1–12.0.14, 12.2.1–12.2.11, 12.4.1–12.4.11, 12.6.1–12.6.9, 12.7.1–12.7.6, 13.2.1–13.2.6, and 13.4.1–13.4.3 contain cross-site scripting (CWE-79) and improper validation (CWE-1285) vulnerabilities in the web interface. A high-privilege user could inject malicious scripts affecting other users or trigger denial-of-service conditions. Successful exploitation could disrupt monitoring and remote control of grid assets.

What this means

What could happen

An attacker with high privileges could execute cross-site scripting attacks on the RTU500 web interface or trigger denial-of-service conditions, disrupting remote monitoring and control of grid assets. The XSS vulnerability could also allow theft of operator session tokens or manipulation of displayed setpoints.

Who's at risk

Energy utilities and manufacturing operators running Hitachi Energy RTU500 series remote terminal units should prioritize this. RTU500s are used for grid monitoring, substation automation, and remote asset control. The vulnerability requires high-privilege credentials to exploit, but successful attacks could disrupt remote operations and visibility of critical grid assets.

How it could be exploited

An attacker with high-privilege credentials (engineering or administrative access) can inject malicious script through the RTU500 web interface, affecting other users who access the device. Alternatively, a high-privilege attacker can send crafted input to trigger a denial-of-service condition that causes the device to become unresponsive to legitimate commands.

Prerequisites

Network access to RTU500 web interface (port 80 or 443)
High-privilege credentials (engineering or administrative user account)

remotely exploitablerequires high privilegesaffects grid monitoring and controllow patch availability for older versionsdenial-of-service potential

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (1)

ProductAffected VersionsFix Status

RTU500 series CMU Firmware≥ 12.0.1|≤ 12.0.14≥ 12.2.1|≤ 12.2.11≥ 12.4.1|≤ 12.4.11 and 4 moreNo fix yet

Remediation & Mitigation

0/9

Do now

0/1

HARDENINGRestrict network access to RTU500 web interface: do not expose to the Internet, place behind firewall with rules limiting access to authorized engineering networks only

Schedule — requires maintenance window

0/7

Patching may require device reboot — plan for process interruption

HOTFIXUpdate RTU500 CMU Firmware version 12.0.x to version 12.0.15

HOTFIXUpdate RTU500 CMU Firmware version 12.2.x to version 12.2.12

HOTFIXUpdate RTU500 CMU Firmware version 12.4.x to version 12.4.12

HOTFIXUpdate RTU500 CMU Firmware version 12.6.x to version 12.6.10

HOTFIXUpdate RTU500 CMU Firmware version 12.7.x to version 12.7.7

HOTFIXUpdate RTU500 CMU Firmware version 13.2.x to version 13.2.7

HOTFIXUpdate RTU500 CMU Firmware version 13.4.x to version 13.4.4 or 13.5.1

Long-term hardening

0/1

HARDENINGEnforce use of VPN with multi-factor authentication for all remote access to RTU500 devices

CVEs (3)

CVE-2023-5767 CVE-2023-5768 CVE-2023-5769

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/2757da27-1e2d-4ed7-9430-e4dbeea7eedf

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.