Hitachi Energy XMC20

Act Now9ICS-CERT ICSA-26-036-05Feb 5, 2026

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

Hitachi Energy XMC20 contains a RADIUS authentication vulnerability where MD5-based authentication packets can be forged. The vulnerability affects XMC20 R17A and earlier versions, as well as R18 unless the RADIUS Message-Authenticator option is enabled on both the XMC20 device and RADIUS server. Successful exploitation allows an attacker on the management network to forge authentication credentials, potentially gaining unauthorized access to energy management functions and control logic. This vulnerability only impacts systems configured to use remote RADIUS authentication.

What this means

What could happen

An attacker with network access to a RADIUS server can forge authentication messages and gain unauthorized access to the XMC20, potentially altering energy management configurations or disabling monitoring and control functions.

Who's at risk

Energy utilities and manufacturers operating Hitachi Energy XMC20 control systems (R17A or earlier, and R18 without mitigation) that use RADIUS authentication for remote management access. This affects supervisory control systems used in generation, transmission, and distribution facilities.

How it could be exploited

An attacker on the network between the XMC20 and RADIUS server (or with access to either system) can craft forged RADIUS authentication packets using MD5 forgery. The XMC20 accepts these packets without proper verification if Message-Authenticator is not enabled, allowing the attacker to bypass authentication and impersonate authorized users.

Prerequisites

Network access to the XMC20 and/or RADIUS server (same network or man-in-the-middle position)
XMC20 configured to use remote RADIUS authentication
Message-Authenticator option not enabled on XMC20 or RADIUS server
XMC20 running R17A or earlier, or R18 without the workaround applied

Remotely exploitableNo authentication required (forgery bypasses authentication)Low complexity attackHigh EPSS score (23.8%)No vendor patch available for affected versionsAffects critical infrastructure (energy sector)

Exploitability

High exploit probability (EPSS 23.8%)

Affected products (2)

2 pending

ProductAffected VersionsFix Status

XMC20R18No fix yet

XMC20≤ R17ANo fix yet

Remediation & Mitigation

0/5

Do now

0/1

XMC20

WORKAROUNDEnable the RADIUS Message-Authenticator option in both the XMC20 and RADIUS server configurations

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

XMC20

HOTFIXUpdate XMC20 to R18 and enable RADIUS Message-Authenticator in both XMC20 and RADIUS server configurations

HARDENINGSegment FOX management traffic using firewall rules to restrict communication between XMC20 and RADIUS server to authorized paths only

Long-term hardening

0/2

XMC20

HARDENINGImplement firewall rules to minimize exposed ports and prevent direct internet access to XMC20

All products

HARDENINGIsolate control system networks and remote devices from business networks using a firewall

CVEs (1)

CVE-2024-3596

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/5ec9e64f-6bb0-4af7-b334-fb5598563fc6