Severity by source
CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
IEC 60870-5-104 used in bidirectional mode is vulnerable for a NULL pointer dereferencing, if a specially crafted sequence of messages is sent for a certain time, causing Denial of Service impact. Product is only affected if IEC 60870-5-104 functionality in bidirectional mode (BCI) is configured.
AnalysisAI
NULL pointer dereference in Hitachi Energy RTU500 series CMU Firmware allows an adjacent low-privileged attacker to crash the IEC 60870-5-104 communication process by sending a specially crafted sequence of messages over time, resulting in a Denial of Service on the RTU device. Exploitation is gated behind a non-default configuration - only deployments with bidirectional communication interface (BCI) mode enabled are affected. No public exploit exists and EPSS places exploitation probability at 0.02% (7th percentile), consistent with the specialized OT/ICS context, adjacency requirement, and SSVC confirmation of no known active exploitation.
Technical ContextAI
IEC 60870-5-104 is a widely deployed telecontrol standard in power utility SCADA and substation automation environments, providing TCP/IP transport for IEC 60870-5-101 protocol data between control centers and field devices. The RTU500 series is Hitachi Energy's remote terminal unit platform used in electrical substation automation. When configured in bidirectional communication interface (BCI) mode, the firmware's IEC 104 message parsing stack fails to validate pointer state before dereferencing when processing a particular crafted message sequence over time, classifying as CWE-476 (NULL Pointer Dereference). The root cause is a missing null check in the stateful message handler, which can be reached through a sustained sequence of protocol messages. Affected products are identified by CPE cpe:2.3:a:hitachi_energy:rtu500_series_cmu_firmware:*:*:*:*:*:*:*:*.
RemediationAI
Apply the patched CMU firmware per the Hitachi Energy advisory at https://publisher.hitachienergy.com/preview?DocumentID=8DBD000252&LanguageCode=en&DocumentPartId=&Action=Launch - exact fixed firmware version numbers are not present in the available intelligence and must be confirmed from the vendor advisory directly. As an immediate compensating control for deployments that cannot patch promptly, disabling IEC 60870-5-104 bidirectional (BCI) mode removes the vulnerable code path entirely and eliminates all exposure; however, this disables bidirectional RTU communication functionality and must be evaluated against operational requirements. As a secondary control, restrict network access to RTU500 communication interfaces at the industrial firewall or DMZ boundary to trusted control center IP addresses only, enforcing the adjacency barrier that CVSS AV:A already assumes. Combining network segmentation with prompt patching is the recommended posture for OT environments.
Same weakness CWE-476 – NULL Pointer Dereference
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31814
GHSA-m2rr-g8pf-8wrj