Hitachi Energy RTU500

MonitorCVSS 7.8ICS-CERT ICSA-26-155-04May 26, 2026

Hitachi EnergyEnergy

Attack path

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

Hitachi Energy RTU500 CMU firmware versions 12.7.1–12.7.7, 13.5.1–13.5.4, 13.6.1–13.6.3, and others contain memory corruption and loop logic vulnerabilities (CWE-476, CWE-190, CWE-835) that can cause device crashes and denial of service. Impact is primarily on product availability, with potential secondary impacts on confidentiality and integrity of operations.

What this means

What could happen

An attacker with local access to an RTU500 device could trigger a crash or cause unexpected behavior that disrupts availability of the remote terminal unit, potentially causing loss of telemetry or control capabilities at substations or generation facilities.

Who's at risk

Electric utilities and generation facilities using Hitachi Energy RTU500 series remote terminal units in substations or generation control systems. RTU500 devices are commonly deployed for supervisory control, telemetry, and protection in transmission and distribution networks.

How it could be exploited

An attacker with local shell or engineering access to an RTU500 CMU could exploit memory handling or loop logic vulnerabilities to cause a denial of service. The vulnerability is triggered through the device's local interface or connected engineering workstation.

Prerequisites

Local shell or engineering workstation access to RTU500 device
Ability to run commands or send malformed input to the CMU firmware
Device running one of the affected RTU500 CMU firmware versions

Local exploitation requiredLow complexity attackAffects availability of critical telemetry and control functions

Exploitability

Unlikely to be exploited — EPSS score 0.8%

Affected products (1)

ProductAffected VersionsFix Status

RTU500 series CMU Firmware≥ 12.7.1, ≤ 12.7.7≥ 13.5.1, ≤ 13.5.4≥ 13.6.1, ≤ 13.6.3 and 3 moreFix available

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGRestrict local and remote access to RTU500 engineering interfaces to authorized personnel only

HARDENINGReview and enforce access control lists on all connections to RTU500 devices from engineering workstations and maintenance systems

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate RTU500 CMU Firmware to version 13.8.2

HOTFIXIf version 13.8.2 cannot be deployed immediately, update to version 13.7.9 (when available) or 13.7.8 as an interim measure

CVEs (7)

CVE-2025-69421 CVE-2026-24515 CVE-2026-25210 CVE-2026-32776 CVE-2026-32777 CVE-2026-32778 CVE-2026-8479

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/ac3e6df7-6b44-4a67-a205-cca834673517

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.