Hitachi Energy RTU500 Series

Plan PatchCVSS 8.2ICS-CERT ICSA-25-259-02Sep 16, 2025

Hitachi EnergyEnergy

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple vulnerabilities in Hitachi Energy RTU500 series devices (CWE-476: null pointer dereference, CWE-354: improper validation, CWE-611: XML external entity injection, CWE-122 and CWE-121: buffer overflows, CWE-190: integer overflow, CWE-776: improper restriction) allow remote attackers without authentication to trigger denial-of-service conditions. Affected firmware versions include 12.7.1–12.7.7, 13.4.1–13.4.4, 13.5.1–13.5.3, 13.6.1, and 13.7.1–13.7.6. The vulnerabilities can be exploited over the network with low complexity to crash RTU500 devices or exhaust system resources.

What this means

What could happen

An attacker could trigger a denial-of-service condition in RTU500 devices, causing them to stop responding to commands and potentially halting remote terminal unit operations critical to power grid monitoring and control.

Who's at risk

Energy sector organizations operating Hitachi Energy RTU500 series remote terminal units used for monitoring and control of power generation, transmission, and distribution systems. This includes electric utilities and power operators managing grid operations through these networked devices.

How it could be exploited

An attacker with network access to an RTU500 device could send specially crafted requests to trigger one of the multiple vulnerabilities (buffer overflow, integer overflow, XML external entity injection, or null pointer dereference) to crash the device or exhaust resources, rendering it unavailable for normal operation.

Prerequisites

Network connectivity to the RTU500 device
No authentication required
Device running one of the affected firmware versions (12.7.1–12.7.7, 13.4.1–13.4.4, 13.5.1–13.5.3, 13.6.1, or 13.7.1–13.7.6)

Remotely exploitableNo authentication requiredLow complexity exploitationNo patch available for some firmware versionsAffects safety-critical infrastructure

Exploitability

Some exploitation risk — EPSS score 2.1%

Public Proof-of-Concept (PoC) on GitHub (3 repositories)

Affected products (5)

5 pending

ProductAffected VersionsFix Status

Hitachi Energy RTU500 series: 13.6.113.6.1No fix yet

Hitachi Energy RTU500 series: >=12.7.1|<=12.7.7≥ 12.7.1|≤ 12.7.7No fix yet

Hitachi Energy RTU500 series: >=13.5.1|<=13.5.3≥ 13.5.1|≤ 13.5.3No fix yet

Hitachi Energy RTU500 series: >=13.7.1|<=13.7.6≥ 13.7.1|≤ 13.7.6No fix yet

Hitachi Energy RTU500 series: >=13.4.1|<=13.4.4≥ 13.4.1|≤ 13.4.4No fix yet

Remediation & Mitigation

0/6

Do now

0/2

HARDENINGRestrict network access to RTU500 devices by ensuring they are not accessible from the internet and are located behind firewalls isolated from business networks

WORKAROUNDIf remote access to RTU500 devices is required, use a Virtual Private Network (VPN) with the most recent available version

Schedule — requires maintenance window

0/4

Patching may require device reboot — plan for process interruption

HOTFIXUpdate RTU500 CMU Firmware version 12.7.1–12.7.7 to version 12.7.8 when available

HOTFIXUpdate RTU500 CMU Firmware version 13.5.1–13.5.3 to version 13.5.4

HOTFIXUpdate RTU500 CMU Firmware version 13.6.1 to version 13.6.3

HOTFIXUpdate RTU500 CMU Firmware version 13.7.1–13.7.6 to version 13.7.7

CVEs (7)

CVE-2023-2953 CVE-2025-39203 CVE-2025-6021 CVE-2024-45490 CVE-2024-45491 CVE-2024-45492 CVE-2024-28757

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/eff1c5fa-b355-4159-ba8e-d60d753c2aed

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.