Skip to main content

PROMOD V CVE-2026-10763

| EUVDEUVD-2026-40275 HIGH
Reliance on HTTP instead of HTTPS (CWE-1428)
2026-06-30 Hitachi Energy GHSA-jm8g-r6p8-h3xf
7.0
CVSS 4.0 · Vendor: Hitachi Energy
Share

Severity by source

Vendor (Hitachi Energy) PRIMARY
7.0 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.9 MEDIUM

Cleartext channel requires a MITM/interception position (AC:H) and a user-initiated simulation (UI:R); high confidentiality exposure with only limited in-transit tampering (I:L) and no availability impact.

3.1 AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N
4.0 AV:N/AC:H/AT:N/PR:N/UI:A/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Hitachi Energy).

CVSS VectorVendor: Hitachi Energy

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 30, 2026 - 10:22 vuln.today

DescriptionCVE.org

PROMOD V is using insecure HTTP communication instead of HTTPS. The vulnerability is due to the lack of HTTPS support from 3rd party Digipede server.

AnalysisAI

Cleartext-transmission exposure in Hitachi Energy PROMOD V allows a network man-in-the-middle to intercept or read sensitive data because the application relies on unencrypted HTTP rather than HTTPS when communicating with a third-party Digipede grid-computing server. The flaw (CWE-1428, reliance on an insecure communications channel) carries a CVSS 4.0 base score of 7.0 and is rated high confidentiality impact with limited integrity impact; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain MITM position on PROMOD-Digipede network path
Delivery
User launches distributed simulation
Exploit
Intercept cleartext HTTP traffic
Execution
Read sensitive model data
Impact
Optionally tamper with in-transit content

Vulnerability AssessmentAI

Exploitation Exploitation requires the PROMOD V deployment to use the third-party Digipede server for distributed computation, since that is the channel transmitted over HTTP instead of HTTPS, and it requires a user to actively initiate the communication (UI:A) - a simulation run that triggers the PROMOD-to-Digipede exchange. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The supplied CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:N) describes an unauthenticated, network-reachable issue with high confidentiality but only low integrity impact and no availability impact, requiring active user interaction (a user must run a simulation that triggers the Digipede communication). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker positioned on the local network or upstream path between a PROMOD V workstation and the Digipede server (e.g., via ARP spoofing on a shared LAN or a compromised switch) passively captures the unencrypted HTTP traffic when an analyst launches a distributed simulation, recovering sensitive model or operational data. With a MITM foothold the attacker could also alter low-impact in-transit content. …
Remediation No vendor-released patched version was identified in the available data - consult the Hitachi Energy advisory (https://publisher.hitachienergy.com/preview?DocumentID=8DBD000250) for the authoritative fixed release and apply it once published. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all Hitachi Energy PROMOD V installations and determine which communicate with Digipede servers over untrusted network segments; assess data classification of communications. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-10763 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy