Hitachi Energy RTU500 Product

Monitor7.5ICS-CERT ICSA-26-062-03Mar 3, 2026

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Hitachi Energy RTU500 CMU firmware versions 12.7.1–12.7.7, 13.5.1–13.5.4, 13.6.1–13.6.2, 13.7.1–13.7.7, and 13.8.1 contain vulnerabilities (CWE-280, CWE-184, CWE-674, CWE-770) that allow remote attackers to cause denial of service (device outage) and exposure of user management information without authentication. Successful exploitation can result in loss of RTU500 functionality and disclosure of account details that may facilitate further attacks on the energy management network.

What this means

What could happen

An attacker could cause the RTU500 to become unavailable (denial of service), disrupting critical grid monitoring and control functions. Additionally, user management information could be exposed, potentially revealing account names and roles needed to access other systems.

Who's at risk

Energy utilities and industrial manufacturers operating Hitachi Energy RTU500 series remote terminal units. RTU500 devices are critical for grid monitoring, telemetry, and remote control of substation equipment. Loss of availability directly impacts grid reliability and situational awareness for operators.

How it could be exploited

An attacker with network access to the RTU500 CMU (Control and Monitoring Unit) could send crafted requests that trigger resource exhaustion or memory corruption conditions, causing the device to crash or become unresponsive. The attacker does not need valid credentials to initiate the attack.

Prerequisites

Network access to the RTU500 CMU device (typically on port 502 or management interface)
No authentication required

remotely exploitableno authentication requiredlow complexityaffects critical infrastructure monitoringaffects device availability (denial of service)no patch available for version 13.6.x range

Exploitability

Low exploit probability (EPSS 0.4%)

Affected products (1)

ProductAffected VersionsFix Status

RTU500 series CMU Firmware≥ 12.7.1, ≤ 12.7.7; ≥ 13.5.1, ≤ 13.5.4; ≥ 13.6.1, ≤ 13.6.2; ≥ 13.7.1, ≤ 13.7.7; 13.8.1No fix yet

Remediation & Mitigation

0/6

Do now

0/2

HARDENINGEnsure RTU500 devices are not accessible from the internet; block external inbound traffic to management ports

WORKAROUNDIf remote access to RTU500 is required, enforce VPN tunnels and ensure VPN software is kept up to date

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpdate RTU500 CMU firmware to version 12.7.8 for devices running 12.7.x releases

HOTFIXUpdate RTU500 CMU firmware to version 13.7.8 or latest for devices running 13.7.x releases

HOTFIXUpdate RTU500 CMU firmware to version 13.8.2 for devices running 13.8.1

Long-term hardening

0/1

HARDENINGIsolate RTU500 devices on a separate control system network behind a firewall; prevent direct connectivity from business network systems

CVEs (4)

CVE-2026-1772 CVE-2026-1773 CVE-2024-8176 CVE-2025-59375

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/c28d4b85-a67b-4b96-8f79-d96f3aafa54b