OTPulse
FeedAboutContact

Hitachi Energy FOX61x

Act Now9ICS-CERT ICSA-26-036-06Feb 5, 2026
Attack VectorNetwork
Auth RequiredNone
ComplexityHigh
User InteractionNone needed
Summary

Hitachi Energy FOX61x contains a RADIUS MD5 authentication bypass vulnerability (CWE-924) affecting devices using remote RADIUS authentication. The vulnerability allows attackers to forge RADIUS response messages and bypass authentication controls without valid credentials. Successful exploitation grants access to device management functions, potentially allowing unauthorized configuration changes, process alterations, or device shutdown. The vulnerability exists because RADIUS message authentication is not enabled by default in FOX61x or the RADIUS server configuration.

What this means
What could happen
An attacker could forge RADIUS authentication messages to bypass access controls on FOX61x devices, potentially allowing unauthorized login to management interfaces and modification of critical device configurations, setpoints, or shutdown commands.
Who's at risk
Energy utilities and industrial manufacturing facilities operating Hitachi Energy FOX61x intelligent electronic devices (IEDs) or protection relays that rely on RADIUS authentication for device access control. This affects any organization using FOX61x for substation automation, feeder protection, or process monitoring where remote authentication is configured.
How it could be exploited
An attacker on the same network as FOX61x or with network access to the RADIUS authentication path could craft forged RADIUS response messages using MD5 hash manipulation. The attacker does not need valid credentials—they can forge authentication responses that appear legitimate to the FOX61x device. Once authenticated, the attacker gains access to management functions.
Prerequisites
  • Network access to the RADIUS authentication path or FOX61x management interface (typically UDP port 1812 or management ports)
  • FOX61x device configured to use remote RADIUS authentication
  • No Message-Authenticator option enabled on FOX61x or RADIUS server (default state)
Remotely exploitableNo authentication required (attacker forges auth)High EPSS score (23.8%)No patch available for R17A and earlierAffects control system device access and configurationExploitable on default configurations
Exploitability
High exploit probability (EPSS 23.8%)
Affected products (2)
2 pending
ProductAffected VersionsFix Status
FOX61xR18No fix yet
FOX61x≤ R17ANo fix yet
Remediation & Mitigation
0/6
Do now
0/3
FOX61x
WORKAROUNDEnable the RADIUS Message-Authenticator option in both FOX61x and RADIUS Server configurations (refer to Technical User Documentation 1KHW029042)
WORKAROUNDAfter upgrade to R18, enable the RADIUS Message-Authenticator option in both FOX61x and RADIUS Server configurations
HARDENINGSegment FOX61x management traffic from untrusted networks using firewall rules and VLANs to restrict who can reach the device
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

FOX61x
HOTFIXUpgrade FOX61x to R18 release (if available for your hardware revision)
Long-term hardening
0/2
FOX61x
HARDENINGRestrict direct internet connectivity to FOX61x devices and require VPN for any remote management access
All products
HARDENINGImplement network segmentation to isolate control system networks from business networks and the internet
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/63461d63-d725-464f-ba87-434cc900143a
Hitachi Energy FOX61x | CVSS 9 - OTPulse