Hitachi Energy RTU500 Series

Plan Patch8.2ICS-CERT ICSA-25-259-02Sep 16, 2025

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple denial-of-service vulnerabilities exist in Hitachi Energy RTU500 series CMU firmware versions 12.7.1–12.7.7, 13.4.1–13.4.4, 13.5.1–13.5.3, 13.6.1, and 13.7.1–13.7.6. Successful exploitation causes the RTU500 to become unresponsive, disrupting SCADA communication and real-time control of electrical substations and generation facilities. Exploitation requires only network access to standard RTU communication ports and no credentials.

What this means

What could happen

An attacker could cause a denial-of-service condition that stops the RTU500 from communicating with the grid or responding to commands, potentially disrupting real-time monitoring and control of power distribution or generation assets.

Who's at risk

Electric utilities and power generation operators managing Hitachi Energy RTU500 series remote terminal units used for SCADA monitoring and control of transmission and distribution assets. Also affects ISO/RTO operators if RTU500 devices are used in their control network.

How it could be exploited

An attacker with network access to the RTU500 device (on port 502 or other RTU communication ports) sends specially crafted packets or requests that trigger a crash or infinite loop in the CMU firmware, causing the device to stop responding to legitimate control commands.

Prerequisites

Network access to RTU500 device (Modbus or IEC 60870-5-104 ports)
No authentication required for exploitation

remotely exploitableno authentication requiredlow complexityno patch available for some versionsaffects critical SCADA infrastructure

Exploitability

Moderate exploit probability (EPSS 1.5%)

Affected products (5)

5 pending

ProductAffected VersionsFix Status

Hitachi Energy RTU500 series: 13.6.113.6.1No fix yet

Hitachi Energy RTU500 series: >=12.7.1|<=12.7.7≥ 12.7.1|≤ 12.7.7No fix yet

Hitachi Energy RTU500 series: >=13.5.1|<=13.5.3≥ 13.5.1|≤ 13.5.3No fix yet

Hitachi Energy RTU500 series: >=13.7.1|<=13.7.6≥ 13.7.1|≤ 13.7.6No fix yet

Hitachi Energy RTU500 series: >=13.4.1|<=13.4.4≥ 13.4.1|≤ 13.4.4No fix yet

Remediation & Mitigation

0/7

Do now

0/2

WORKAROUNDImplement firewall rules to restrict network access to RTU500 devices from untrusted networks; allow only required Modbus and IEC 60870-5-104 traffic from authorized control centers

HARDENINGEnsure RTU500 devices are not directly accessible from the internet or business networks

Schedule — requires maintenance window

0/4

Patching may require device reboot — plan for process interruption

HOTFIXUpdate RTU500 CMU Firmware version 12.7.1–12.7.7 to version 12.7.8

HOTFIXUpdate RTU500 CMU Firmware version 13.5.1–13.5.3 to version 13.5.4

HOTFIXUpdate RTU500 CMU Firmware version 13.6.1 to version 13.6.3

HOTFIXUpdate RTU500 CMU Firmware version 13.7.1–13.7.6 to version 13.7.7

Long-term hardening

0/1

HARDENINGIf remote access to RTU500 is required, use VPN with strong encryption and regularly update VPN software

CVEs (7)

CVE-2023-2953 CVE-2025-39203 CVE-2025-6021 CVE-2024-45490 CVE-2024-45491 CVE-2024-45492 CVE-2024-28757

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/eff1c5fa-b355-4159-ba8e-d60d753c2aed