Hitachi Energy Relion REB500 Product

MonitorCVSS 6.8ICS-CERT ICSA-26-062-02Mar 3, 2026

Hitachi EnergyEnergy

Attack path

Attack VectorNetwork

Auth RequiredLow

ComplexityHigh

User InteractionNone needed

Summary

Hitachi Energy Relion REB500 versions 8.3.3.0 and earlier contain authorization bypass vulnerabilities. Authenticated users assigned certain roles (such as Installer) can access and modify directory contents and files beyond their authorized permissions. This affects the device's ability to maintain proper access controls over protective relay configurations. The vulnerabilities are fixed in version 8.3.3.1.

What this means

What could happen

Authenticated users with certain roles can access and modify directory contents on the REB500 device beyond their authorization level, potentially allowing an attacker to alter protective relay configurations or read sensitive operational data.

Who's at risk

Energy sector organizations operating Hitachi Energy Relion REB500 protective relays in generation, transmission, or distribution facilities. This affects any site where REB500 devices are used for control and protection logic in substations or control centers.

How it could be exploited

An attacker with valid credentials for a role that should have limited access (such as the Installer role) can exploit an authorization bypass to access and modify files and directories on the REB500 that they should not be able to touch. This could include configuration files controlling relay logic or operation.

Prerequisites

Valid user credentials for a role with elevated access (e.g., Installer role)
Network access to the REB500 device management interface
The device is running REB500 version 8.3.3.0 or earlier

Requires valid credentialsRequires specific elevated roleAuthorization bypassAccess to operational configurations

Exploitability

Unlikely to be exploited — EPSS score 0.0%

Affected products (1)

ProductAffected VersionsFix Status

REB500≤ 8.3.3.08.3.3.1

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDDisable the Installer role outside of scheduled firmware update windows; enable only when performing firmware updates

HARDENINGRestrict network access to the REB500 management interface to authorized engineering workstations only; use firewall rules to block access from untrusted networks

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate REB500 to firmware version 8.3.3.1 or later

Long-term hardening

0/1

HARDENINGEnsure REB500 devices are not directly accessible from the internet or business networks; place behind firewall and on isolated control system network

CVEs (2)

CVE-2026-2459 CVE-2026-2460

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/d46954d0-f0b7-41bb-a816-0b7c72da16d3

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.