OTPulse
FeedAboutContact

Hitachi Energy SuprOS

Plan Patch8.8ICS-CERT ICSA-26-043-09Feb 12, 2026
Attack VectorLocal
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary

Hitachi Energy SuprOS versions 9.2.1 and below, and 9.2.2.0, contain a vulnerability that allows an attacker with local access and default credentials to achieve confidentiality, integrity, and availability impacts (CIA triad). The vulnerability stems from insecure credential management—default passwords and unwanted pre-configured accounts. No vendor patch is currently available; mitigation relies on hardening practices: changing default root passwords immediately upon deployment, removing unnecessary accounts, and following Hitachi Energy's Secure Deployment Guidelines. Network isolation from the internet and business networks is essential.

What this means
What could happen
An attacker with local access to a SuprOS system could read sensitive data, modify system configuration or operations, or cause the system to become unavailable by exploiting default or weak credentials.
Who's at risk
This affects energy utilities and transportation operators running Hitachi Energy SuprOS for substation automation, grid control, or traffic management. Anyone using SuprOS versions 9.2.1 or earlier, or version 9.2.2.0, is at risk if the system has default credentials or is accessible from untrusted networks.
How it could be exploited
An attacker gains local access to a SuprOS host (via console, SSH, or other local service). They use default or weak root/administrative credentials to log in, then execute arbitrary commands with full system privileges affecting confidentiality, integrity, and availability of the control system.
Prerequisites
  • Local access to the SuprOS system (console, SSH, or local service port)
  • Default or unchanged root/administrative credentials
default credentialslocal access requiredno patch availableaffects critical energy and transportation systems
Exploitability
Low exploit probability (EPSS 0.0%)
Affected products (2)
2 EOL
ProductAffected VersionsFix Status
SuprOS 9.2.1 and below≤ 9.2.1No fix (EOL)
SuprOS 9.2.2.09.2.2.0No fix (EOL)
Remediation & Mitigation
0/6
Do now
0/3
WORKAROUNDImmediately change the default root password upon installation or upgrade
WORKAROUNDRemove all unwanted or default user accounts from the system
HARDENINGFollow Hitachi Energy Secure Deployment Guidelines (chapter 4.3) for secure account configuration
Schedule — requires maintenance window
0/3

Patching may require device reboot — plan for process interruption

HOTFIXApply a vendor update when available
HARDENINGRestrict network access to SuprOS systems—do not expose to the internet and isolate from business networks with firewalls
HARDENINGUse VPN with current security patches for any required remote access to SuprOS
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/eabdb82e-562c-4861-b165-1bced3c7758b
Hitachi Energy SuprOS | CVSS 8.8 - OTPulse