Hitachi Energy PCM600
MonitorCVSS 4.4ICS-CERT ICSA-26-125-01Apr 28, 2026
Hitachi EnergyEnergy
Attack path
Attack VectorLocal
Auth RequiredLow
ComplexityHigh
User InteractionRequired
Summary
A vulnerability in Hitachi Energy PCM600 affects product integrity. An attacker can exploit path traversal (CWE-22) locally to compromise the integrity of the system. The vulnerability requires local access, low privileges, and user interaction (high complexity).
What this means
What could happen
An attacker with local access and user interaction could alter or delete files in PCM600, potentially compromising the integrity of power system configuration data. This could lead to incorrect relay settings or control logic if malicious changes are introduced.
Who's at risk
Power utilities and energy facilities operating Hitachi Energy PCM600 for protection relay and power system engineering should assess their deployments. This primarily affects engineering workstations used to configure and maintain relays and control systems at generation, transmission, and distribution facilities.
How it could be exploited
An attacker with local or logical access to a PCM600 workstation can use path traversal techniques to access files outside intended directories. If a user can be tricked into opening a specially crafted file or performing an action, the attacker can read or modify system files, potentially affecting power system protection or control settings.
Prerequisites
- Local or terminal access to the PCM600 workstation or engineering interface
- A valid user account with limited privileges
- User interaction (clicking a file, opening a document, or performing an action)
- PCM600 version 3.0 through 3.1 SP3, or Legacy versions
affects power system engineering toolpath traversal vulnerabilityuser interaction requiredlow exploit probability
Exploitability
Unlikely to be exploited — EPSS score 0.8%
Affected products (9)
8 with fix1 EOL
ProductAffected VersionsFix Status
PCM600 3.03.0Fix available
PCM600 3.0 HF13.0 HF1Fix available
PCM600 3.0 HF23.0 HF2Fix available
PCM600 3.0 HF33.0 HF3Fix available
PCM600 3.13.1Fix available
PCM600 3.1 SP13.1 SP1Fix available
PCM600 3.1 SP23.1 SP2Fix available
PCM600 3.1 SP33.1 SP3Fix available
Remediation & Mitigation
0/5
Do now
0/2HARDENINGReview and remove all default credentials from PCM600 deployment as per Chapter 4 of Hitachi Energy Cyber Security Deployment Guideline 1MRK505410
WORKAROUNDIf unable to immediately patch, implement compensating controls such as disabling file sharing features and restricting user permissions to read-only where feasible
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
PCM600 3.1
HOTFIXIf running PCM600 Legacy (≤2.11), plan migration to PCM600 3.1 SP4 or later, as no patch is available for legacy versions
All products
HOTFIXUpdate PCM600 to version 3.1 SP4 or later when available from Hitachi Energy
Mitigations - no patch available
0/1PCM600 Legacy has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGRestrict local access to PCM600 workstations to authorized engineering and commissioning personnel only
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/6d6b64a1-9e57-40ab-9c55-a4670da775e4Get OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.