THREATNOIR
Subscribe
Back to Feed
VulnerabilitiesJun 4, 2026

Hitachi Energy RTU500

Hitachi Energy RTU500 firmware versions contain seven CVEs causing denial of service in critical infrastructure

Read at source

Summary

Hitachi Energy has disclosed seven vulnerabilities affecting RTU500 Remote Terminal Unit firmware versions 12.7.1 through 13.8.1, used in critical infrastructure (dams, energy, water systems) worldwide. The vulnerabilities include NULL pointer dereferences, integer overflow, and infinite loop conditions in libexpat and PKCS#12 processing, primarily impacting availability with potential secondary impacts on confidentiality and integrity. Affected organizations should update to CMU Firmware version 13.8.2 or 13.7.9 to remediate the issues.

Full text

ICS Advisory Hitachi Energy RTU500 Release DateJune 04, 2026 Alert CodeICSA-26-155-04 Related topics: Industrial Control System Vulnerabilities , Industrial Control Systems View CSAF Summary Hitachi Energy is aware of vulnerabilities that affect RTU500 product versions listed in this document. If exploited, these vulnerabilities primarily impact product availability, with potential secondary impacts on confidentiality and integrity. Please refer to the Recommended Immediate Actions for information about the mitigation/remediation. The following versions of Hitachi Energy RTU500 are affected: RTU500 series CMU Firmware vers:RTU500_series_CMU_Firmware/>=12.7.1|<=12.7.7, vers:RTU500_series_CMU_Firmware/>=13.5.1|<=13.5.4, vers:RTU500_series_CMU_Firmware/>=13.6.1|<=13.6.3, vers:RTU500_series_CMU_Firmware/>=13.7.1|<=13.7.8, 13.8.1, vers:RTU500_series_CMU_Firmware/>=13.7.1|<=13.7.7 (CVE-2025-69421, CVE-2026-24515, CVE-2026-25210, CVE-2026-32776, CVE-2026-32777, CVE-2026-32778, CVE-2026-8479, CVE-2025-69421, CVE-2026-24515, CVE-2026-25210, CVE-2026-32776, CVE-2026-32777, CVE-2026-32778, CVE-2026-8479, CVE-2025-69421, CVE-2026-24515, CVE-2026-25210, CVE-2026-32776, CVE-2026-32777, CVE-2026-32778, CVE-2026-8479, CVE-2025-69421, CVE-2026-24515, CVE-2026-25210, CVE-2026-32776, CVE-2026-32777, CVE-2026-32778, CVE-2025-69421, CVE-2026-24515, CVE-2026-25210, CVE-2026-32776, CVE-2026-32777, CVE-2026-32778, CVE-2026-8479, CVE-2026-8479) CVSS Vendor Equipment Vulnerabilities v3 7.8 Hitachi Energy Hitachi Energy RTU500 NULL Pointer Dereference, Integer Overflow or Wraparound, Loop with Unreachable Exit Condition ('Infinite Loop') Background Critical Infrastructure Sectors: Dams, Energy, Water and Wastewater Countries/Areas Deployed: Worldwide Company Headquarters Location: Switzerland Vulnerabilities Expand All + CVE-2025-69421 CWE-476: NULL Pointer Dereference. Issue summary: Processing a malformed PKCS#12 file can trigger a NULL pointer dereference in the PKCS12_item_decrypt_d2i_ex() function. Impact summary: A NULL pointer dereference can trigger a crash which leads to Denial of Service for an application processing PKCS#12 files. The PKCS12_item_decrypt_d2i_ex() function does not check whether the oct parameter is NULL before dereferencing it. When called from PKCS12_unpack_p7encdata() with a malformed PKCS#12 file, this parameter can be NULL, causing Denial of Service impact. The vulnerability is limited to Denial of Service and cannot be escalated to achieve code execution or memory disclosure. Product is affected, if a privileged user uploads a malformed PKCS#12 certificate via web interface or if PKI client functionality is configured. View CVE Details Affected Products Hitachi Energy RTU500 Vendor:Hitachi Energy Product Version:RTU500 series CMU Firmware version 12.7.1 – 12.7.7, RTU500 series CMU Firmware version 13.5.1 – 13.5.4, RTU500 series CMU Firmware version 13.6.1 – 13.6.3, RTU500 series CMU Firmware version 13.7.1 – 13.7.8, RTU500 series CMU Firmware version 13.8.1 Product Status:known_affected Remediations Vendor fixUpdate to CMU Firmware version 13.8.2 MitigationFollow general mitigation factors/workarounds Vendor fixUpdate to CMU Firmware version 13.7.9 (when available) or 13.8.2 Relevant CWE: CWE-476 NULL Pointer Dereference Metrics CVSS Version Base Score Base Severity Vector String 3.1 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2026-24515 CWE-476: NULL Pointer Dereference. In libexpat before 2.7.4, XML_ExternalEntityParserCreate does not copy unknown encoding handler user data, causing Denial of Service impact. Product is only affected if IEC 61850 functionality is configured. View CVE Details Affected Products Hitachi Energy RTU500 Vendor:Hitachi Energy Product Version:RTU500 series CMU Firmware version 12.7.1 – 12.7.7, RTU500 series CMU Firmware version 13.5.1 – 13.5.4, RTU500 series CMU Firmware version 13.6.1 – 13.6.3, RTU500 series CMU Firmware version 13.7.1 – 13.7.8, RTU500 series CMU Firmware version 13.8.1 Product Status:known_affected Remediations Vendor fixUpdate to CMU Firmware version 13.8.2 MitigationFollow general mitigation factors/workarounds Vendor fixUpdate to CMU Firmware version 13.7.9 (when available) or 13.8.2 Relevant CWE: CWE-476 NULL Pointer Dereference Metrics CVSS Version Base Score Base Severity Vector String 3.1 2.5 LOW CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L CVE-2026-25210 CWE-190: Integer Overflow or Wraparound. In libexpat before 2.7.4, the doContent function does not properly determine the buffer size bufSize because there is no integer overflow check for tag buffer reallocation, primarily causing Denial of Service and potentially confidentiality and integrity impact to the product. Product is only affected if IEC 61850 functionality is configured. View CVE Details Affected Products Hitachi Energy RTU500 Vendor:Hitachi Energy Product Version:RTU500 series CMU Firmware version 12.7.1 – 12.7.7, RTU500 series CMU Firmware version 13.5.1 – 13.5.4, RTU500 series CMU Firmware version 13.6.1 – 13.6.3, RTU500 series CMU Firmware version 13.7.1 – 13.7.8, RTU500 series CMU Firmware version 13.8.1 Product Status:known_affected Remediations Vendor fixUpdate to CMU Firmware version 13.8.2 MitigationFollow general mitigation factors/workarounds Vendor fixUpdate to CMU Firmware version 13.7.9 (when available) or 13.8.2 Relevant CWE: CWE-190 Integer Overflow or Wraparound Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2026-32776 CWE-476: NULL Pointer Dereference. libexpat before 2.7.5 allows a NULL pointer dereference with empty external parameter entity content, causing Denial of Service impact. Product is only affected if IEC 61850 functionality is configured. View CVE Details Affected Products Hitachi Energy RTU500 Vendor:Hitachi Energy Product Version:RTU500 series CMU Firmware version 12.7.1 – 12.7.7, RTU500 series CMU Firmware version 13.5.1 – 13.5.4, RTU500 series CMU Firmware version 13.6.1 – 13.6.3, RTU500 series CMU Firmware version 13.7.1 – 13.7.8, RTU500 series CMU Firmware version 13.8.1 Product Status:known_affected Remediations Vendor fixUpdate to CMU Firmware version 13.8.2 MitigationFollow general mitigation factors/workarounds Vendor fixUpdate to CMU Firmware version 13.7.9 (when available) or 13.8.2 Relevant CWE: CWE-476 NULL Pointer Dereference Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2026-32777 CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop'). libexpat before 2.7.5 allows an infinite loop while parsing DTD content, causing Denial of Service impact. Product is only affected if IEC 61850 functionality is configured. View CVE Details Affected Products Hitachi Energy RTU500 Vendor:Hitachi Energy Product Version:RTU500 series CMU Firmware version 12.7.1 – 12.7.7, RTU500 series CMU Firmware version 13.5.1 – 13.5.4, RTU500 series CMU Firmware version 13.6.1 – 13.6.3, RTU500 series CMU Firmware version 13.7.1 – 13.7.8, RTU500 series CMU Firmware version 13.8.1 Product Status:known_affected Remediations Vendor fixUpdate to CMU Firmware version 13.8.2 MitigationFollow general mitigation factors/workarounds Vendor fixUpdate to CMU Firmware version 13.7.9 (when available) or 13.8.2 Relevant CWE: CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop') Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2026-32778 CWE-476: NULL Pointer Dereference. libexpat before 2.7.5 allows a NULL pointer dereference in the function setContext on retry after an earlier out-of-memory condition, causing Denial of Service impact. Product is only affected if IEC 61850 functionality is configured. View CVE Details Affected Products Hitachi Energy RTU500 Vendor:Hitachi Energy Product Version:RTU500 series CMU Firmware version 12.7.1 – 12.7.7, RTU500 series CMU Firmware v

Indicators of Compromise

  • cve — CVE-2025-69421
  • cve — CVE-2026-24515
  • cve — CVE-2026-25210
  • cve — CVE-2026-32776
  • cve — CVE-2026-32777
  • cve — CVE-2026-32778
  • cve — CVE-2026-8479

Entities

Hitachi Energy (vendor)RTU500 (product)libexpat (product)IEC 61850 (technology)IEC 60870-5-104 (technology)