Hitachi Energy RTU500 Product

MonitorCVSS 7.5ICS-CERT ICSA-26-062-03Mar 3, 2026

Hitachi EnergyEnergyManufacturing

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Hitachi Energy RTU500 CMU firmware contains vulnerabilities that can result in exposure of low-value user management information and device outage. Affected versions: 12.7.1-12.7.7, 13.5.1-13.5.4, 13.6.1-13.6.2, 13.7.1-13.7.7, and 13.8.1.

What this means

What could happen

An attacker could disrupt RTU500 operations, causing outages in critical infrastructure, or expose user credentials stored on the device. Device unavailability could interrupt power distribution, water delivery, or manufacturing processes.

Who's at risk

Energy utilities and manufacturers operating Hitachi Energy RTU500 series remote terminal units (RTUs) are affected. RTUs are critical devices used in power distribution systems, water treatment, and industrial automation to control and monitor field equipment. Any utility with RTU500s in production networks should prioritize this.

How it could be exploited

An attacker with network access to the RTU500 CMU (communications module) could exploit the vulnerability remotely without authentication to cause a denial of service or extract user management data. No user interaction is required.

Prerequisites

Network access to RTU500 CMU on port 502 (Modbus TCP) or management interface
RTU500 must be running one of the affected firmware versions

remotely exploitableno authentication requiredlow complexityaffects critical energy infrastructurehigh availability impactnetwork-accessible critical device

Exploitability

Unlikely to be exploited — EPSS score 0.8%

Public Proof-of-Concept (PoC) on GitHub (1 repository)

Affected products (1)

ProductAffected VersionsFix Status

RTU500 series CMU Firmware≥ 12.7.1, ≤ 12.7.7≥ 13.5.1, ≤ 13.5.4≥ 13.6.1, ≤ 13.6.2≥ 13.7.1, ≤ 13.7.713.8.1No fix yet

Remediation & Mitigation

0/6

Do now

0/2

WORKAROUNDRestrict network access to RTU500 CMU management interfaces and Modbus TCP port (502) to authorized engineering workstations and SCADA servers only using firewall rules

HARDENINGIsolate RTU500s from the business network and internet. Ensure RTU500 networks are not routable from IT networks without explicit firewall policy

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpdate RTU500 CMU firmware to version 12.7.8

HOTFIXUpdate RTU500 CMU firmware to version 13.7.8 or latest stable release

HOTFIXUpdate RTU500 CMU firmware to version 13.8.2

Long-term hardening

0/1

HARDENINGIf remote access to RTU500 is required, route all traffic through a VPN concentrator or jump server with multi-factor authentication and access logging

CVEs (4)

CVE-2026-1772 CVE-2026-1773 CVE-2024-8176 CVE-2025-59375

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/c28d4b85-a67b-4b96-8f79-d96f3aafa54b

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.