Hitachi Energy XMC20

Act NowCVSS 9ICS-CERT ICSA-26-036-05Feb 5, 2026

Hitachi EnergyEnergyManufacturing

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

Hitachi Energy XMC20 contains a RADIUS authentication forgery vulnerability (CWE-924) that allows attackers to bypass message authentication if the RADIUS Message-Authenticator option is not enabled. Successful exploitation can lead to unauthorized access with potential impact on confidentiality, integrity, and availability. The vulnerability only affects deployments using remote RADIUS authentication. Versions R17A and earlier have no fix available; R18 is available but requires manual enablement of Message-Authenticator.

What this means

What could happen

An attacker with network access to your RADIUS authentication server can forge authentication messages to the XMC20, potentially bypassing access controls and gaining unauthorized administrative access to energy or manufacturing management systems. This could allow them to alter system configurations, disable monitoring, or disrupt critical operations.

Who's at risk

Energy and manufacturing organizations running Hitachi Energy XMC20 as a management system for substations, control networks, or industrial facilities. Primarily affects sites that use RADIUS authentication (common in enterprises with centralized directory services) to control access to the XMC20 appliance.

How it could be exploited

The attacker sends a crafted RADIUS response that bypasses integrity checking because the Message-Authenticator option is not enabled. The XMC20 accepts the forged response and grants unauthorized access. If the device is reachable from an untrusted network or if the RADIUS server is compromised, the attacker can impersonate legitimate administrators.

Prerequisites

Network access to the RADIUS communication path between XMC20 and the RADIUS server
XMC20 configured to use remote RADIUS authentication
RADIUS Message-Authenticator option disabled on either the XMC20 or RADIUS server

Remotely exploitableHigh CVSS score (9.0)High EPSS score (23.8%)No patch available for R17A and olderAuthentication bypass in critical infrastructure deviceAffects integrity and availability of energy systems

Exploitability

Likely to be exploited — EPSS score 19.0%

Public Proof-of-Concept (PoC) on GitHub (1 repository)

Affected products (2)

2 pending

ProductAffected VersionsFix Status

XMC20R18No fix yet

XMC20≤ R17ANo fix yet

Remediation & Mitigation

0/4

Do now

0/1

XMC20

WORKAROUNDEnable the RADIUS Message-Authenticator option in both the XMC20 and your RADIUS server configurations

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

XMC20

HOTFIXUpdate XMC20 to R18 and then enable RADIUS Message-Authenticator in both XMC20 and RADIUS server

HARDENINGSegment and restrict FOX management traffic to XMC20 using firewall rules; isolate it from untrusted networks

Long-term hardening

0/1

HARDENINGVerify RADIUS server is not directly accessible from the internet or business networks; place behind firewall with minimal exposed ports

CVEs (1)

CVE-2024-3596

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/5ec9e64f-6bb0-4af7-b334-fb5598563fc6

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.