Hitachi Energy Relion REB500 Product

Monitor6.8ICS-CERT ICSA-26-062-02Mar 3, 2026

Attack VectorNetwork

Auth RequiredLow

ComplexityHigh

User InteractionNone needed

Summary

Hitachi Energy Relion REB500 versions 8.3.3.0 and earlier contain improper access control vulnerabilities. Authenticated users with certain roles can bypass directory permissions to access and modify files and directories they are not authorized to access. This affects file-based configurations and operational data on the relay.

What this means

What could happen

An authenticated user with certain roles on the REB500 could access and modify files and directories they should not have permission to, potentially compromising relay configurations or operational settings.

Who's at risk

Energy utilities operating Hitachi Energy Relion REB500 relays. The REB500 is a numerical relay used for protection and control of power transmission and distribution systems, so this affects anyone responsible for relay operations and configurations.

How it could be exploited

An attacker with valid credentials and an authorized role on the REB500 could bypass directory access controls to read or modify files outside their intended scope. This requires local or remote access to the device's management interface and valid authentication.

Prerequisites

Valid user credentials on REB500
User account with specific elevated role
Network access to REB500 management interface (local or remote)

Requires authentication and specific roleMedium CVSS scoreAccess control weakness allows privilege escalation within authenticated sessionAffects critical energy infrastructure relay

Exploitability

Low exploit probability (EPSS 0.0%)

Affected products (1)

ProductAffected VersionsFix Status

REB500≤ 8.3.3.08.3.3.1

Remediation & Mitigation

0/5

Do now

0/2

WORKAROUNDDisable the Installer role when not performing firmware updates; enable only during maintenance windows

HARDENINGRestrict network access to REB500 management interface using firewall rules; do not expose to internet

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate REB500 to firmware version 8.3.3.1 or later

Long-term hardening

0/2

HARDENINGIsolate REB500 and relay devices on a separate industrial network segment away from business networks

HARDENINGIf remote access to REB500 is required, use VPN with current security patches

CVEs (2)

CVE-2026-2459 CVE-2026-2460

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/d46954d0-f0b7-41bb-a816-0b7c72da16d3