Hitachi Energy RTU500 Series

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 8.7
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Hitachi Energy
• Equipment: RTU500 series
• Vulnerabilities: Null Pointer Dereference, Insufficient Resource Pool, Missing Synchronization

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to cause a denial-of-service condition.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Hitachi Energy products are affected:

• RTU500 series CMU: Versions 12.0.1 - 12.0.14 (CVE-2024-10037)
• RTU500 series CMU: Versions 12.2.1 - 12.2.12 (CVE-2024-10037)
• RTU500 series CMU: Versions 12.4.1 - 12.4.11 (CVE-2024-10037)
• RTU500 series CMU: Versions 12.6.1 - 12.6.10 (CVE-2024-10037)
• RTU500 series CMU: Versions 12.7.1 - 12.7.7 (CVE-2024-10037)
• RTU500 series CMU: Versions 13.2.1 - 13.2.7 (CVE-2024-10037)
• RTU500 series CMU: Versions 13.4.1 - 13.4.4 (CVE-2024-10037, CVE-2024-11499, CVE-2024-12169)
• RTU500 series CMU: Versions 13.5.1 - 13.5.3 (CVE-2024-10037, CVE-2024-11499, CVE-2024-12169)
• RTU500 series CMU: Versions 13.6.1 (CVE-2024-10037, CVE-2024-11499, CVE-2024-12169)
• RTU500 series CMU: Versions 13.7.1 (CVE-2024-11499)
• RTU500 series CMU: Versions 13.7.1 - 13.7.4 (CVE-2024-12169, CVE-2025-1445)

3.2 VULNERABILITY OVERVIEW

3.2.1 NULL POINTER DEREFERENCE CWE-476

A vulnerability exists in the RTU500 web server component that can cause a denial of service to the RTU500 CMU application if a specially crafted message sequence is executed on a WebSocket connection. An attacker must be properly authenticated and the test mode function of RTU500 must be enabled to exploit this vulnerability. The affected CMU will automatically recover itself if an attacker successfully exploits this vulnerability.

CVE-2024-10037 has been assigned to this vulnerability. A CVSS v3 base score of 4.9 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2024-10037. A base score of 5.9 has been calculated; the CVSS vector string is (AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.2.2 NULL POINTER DEREFERENCE CWE-476

A vulnerability exists in RTU500 IEC 60870-4-104 controlled station functionality, that allows an authenticated and authorized attacker to perform a CMU re-start. The vulnerability can be triggered if certificates are updated while in use on active connections. The affected CMU will automatically recover itself if an attacker successfully exploits this vulnerability.

CVE-2024-11499 has been assigned to this vulnerability. A CVSS v3 base score of 4.9 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2024-11499. A base score of 6.9 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.2.3 INSUFFICIENT RESOURCE POOL CWE-410

A vulnerability exists in RTU500 IEC 60870-5-104 controlled station functionality and IEC 61850 functionality, that allows an attacker performing a specific attack sequence to restart the affected CMU. This vulnerability only applies, if secure communication using IEC 62351-3 (TLS) is enabled.

CVE-2024-12169 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2024-12169. A base score of 8.7 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.2.4 MISSING SYNCHRONIZATION CWE-820

A vulnerability exists in RTU IEC 61850 client and server functionality that could impact the availability if renegotiation of an open IEC61850 TLS connection takes place in specific timing situations, when IEC61850 communication is active. Precondition is that IEC61850 as client or server are configured using TLS on RTU500 device. It affects the CMU the IEC61850 stack is configured on.

CVE-2025-1445 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2025-1445. A base score of 8.7 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Energy
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Switzerland

3.4 RESEARCHER

Hitachi Energy reported these vulnerabilities to CISA.

4. MITIGATIONS

Hitachi Energy has identified the following specific workarounds and mitigations users can apply to reduce risk:

• For all versions, apply general mitigation factors/workarounds. Upgrade the system once remediated version is available, or apply general mitigation factors.
• RTU500 series CMU 12.0.1 - 12.0.14, 12.2.1 - 12.2.12, 12.4.1 - 12.4.11, 12.6.1 - 12.6.10, 12.7.1 - 12.7.7: Update to version 12.7.8 when available.
• RTU500 series CMU version 13.2.1 - 13.2.7, 13.4.1 - 13.4.4, 13.5.1 - 13.5.3, 13.6.1: Update to version 13.7.1
• RTU500 series CMU 13.5.1 - 13.5.3: Update to version 13.5.4 when available.
• RTU500 series CMU 13.6.1: Update to version 13.6.2 when available.
• (CVE-2024-11499, CVE-2025-1445) RTU500 series CMU 13.7.1 - 13.7.4: Update to version 13.7.6 when available.
• (CVE-2024-12169) RTU500 series CMU 13.4.1 - 13.4.4, 13.5.1 - 13.5.3, 13.6.1, 13.7.1 - 13.7.4: Update to version 13.7.6 when available.

For more information see the associated Hitachi Energy PSIRT security advisory 8DBD000207 Cybersecurity Advisory - Multiple Denial-of-Service Vulnerabilities in Hitachi Energy's RTU500 Series Product.

Hitachi Energy recommends users implement recommended security practices and firewall configurations to help protect the process control network from attacks originating from outside the network. Process control systems should be physically protected from direct access by unauthorized personnel, have no direct connections to the Internet, and be separated from other networks by means of a firewall system with a minimal number of ports exposed. Process control systems should not be used for Internet surfing, instant messaging, or receiving e-mails. Portable computers and removable storage media should be carefully scanned for viruses before they are connected to a control system.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

• April 3, 2025: Initial Republication of Hitachi Energy 8DBD000207

• Hitachi Energy