Hitachi Energy FOX61x
Act NowCVSS 9ICS-CERT ICSA-26-036-06Feb 5, 2026
Hitachi EnergyEnergyManufacturing
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityHigh
User InteractionNone needed
Summary
Hitachi Energy FOX61x contains a RADIUS authentication forgery vulnerability (CWE-924) that affects versions R18 and earlier (R17A and below). Successful exploitation allows attackers to forge RADIUS messages, potentially compromising confidentiality, integrity, and availability. This vulnerability applies only to FOX61x devices configured to use remote RADIUS authentication for administrative access.
What this means
What could happen
An attacker with network access to RADIUS traffic could forge authentication messages to gain administrative access to FOX61x devices, allowing them to change configuration, disable safety functions, or disrupt power management operations. This is particularly critical in energy and manufacturing environments where FOX61x devices control protection relays and substation automation.
Who's at risk
Energy utilities and manufacturing facilities operating Hitachi Energy FOX61x devices (protection relays and substation automation controllers) that use RADIUS-based remote authentication for administrative access. This affects any environment where FOX61x is used in critical infrastructure protection and control roles, including transmission substations, distribution automation, and manufacturing process control.
How it could be exploited
An attacker on the network between the FOX61x device and RADIUS server can intercept and forge RADIUS authentication responses without valid credentials. The attacker sends a crafted RADIUS Access-Accept message to the FOX61x, which accepts it because the Message-Authenticator validation is disabled, granting administrative access. This requires network-level access to RADIUS traffic but no authentication credentials.
Prerequisites
- Network access to RADIUS authentication traffic between FOX61x and RADIUS server (typically port 1812/UDP)
- FOX61x configured to use remote RADIUS authentication for administrative access
- RADIUS Message-Authenticator option disabled on FOX61x and/or RADIUS server
remotely exploitablehigh CVSS score (9.0)no patch available for R17A and earlieraffects critical infrastructure control deviceshigh EPSS score (23.8%)no authentication required if Message-Authenticator disabled
Exploitability
Likely to be exploited — EPSS score 19.0%
Public Proof-of-Concept (PoC) on GitHub (1 repository)
Affected products (2)
2 pending
ProductAffected VersionsFix Status
FOX61xR18No fix yet
FOX61x≤ R17ANo fix yet
Remediation & Mitigation
0/5
Do now
0/3FOX61x
WORKAROUNDEnable the RADIUS Message-Authenticator option in FOX61x device configuration
All products
WORKAROUNDEnable the RADIUS Message-Authenticator option in RADIUS server configuration
HARDENINGSegment FOX management traffic (RADIUS) from untrusted networks using firewall rules
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
FOX61x
HOTFIXUpdate FOX61x to R18 when operationally feasible, then enable RADIUS Message-Authenticator on both FOX61x and RADIUS server
Long-term hardening
0/1FOX61x
HARDENINGRestrict network access to FOX61x management interfaces to authorized engineering workstations and monitoring systems only
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/63461d63-d725-464f-ba87-434cc900143aGet OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.