Skip to main content

RTU500 CMU Firmware CVE-2026-8479

| EUVDEUVD-2026-31814 MEDIUM
NULL Pointer Dereference (CWE-476)
2026-05-26 Hitachi Energy GHSA-m2rr-g8pf-8wrj
6.9
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
Jun 08, 2026 - 12:50 vuln.today
CVSS changed
May 26, 2026 - 14:22 NVD
6.9 (MEDIUM)
CVE Published
May 26, 2026 - 11:54 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

IEC 60870-5-104 used in bidirectional mode is vulnerable for a NULL pointer dereferencing, if a specially crafted sequence of messages is sent for a certain time, causing Denial of Service impact. Product is only affected if IEC 60870-5-104 functionality in bidirectional mode (BCI) is configured.

AnalysisAI

NULL pointer dereference in Hitachi Energy RTU500 series CMU Firmware allows an adjacent low-privileged attacker to crash the IEC 60870-5-104 communication process by sending a specially crafted sequence of messages over time, resulting in a Denial of Service on the RTU device. Exploitation is gated behind a non-default configuration - only deployments with bidirectional communication interface (BCI) mode enabled are affected. No public exploit exists and EPSS places exploitation probability at 0.02% (7th percentile), consistent with the specialized OT/ICS context, adjacency requirement, and SSVC confirmation of no known active exploitation.

Technical ContextAI

IEC 60870-5-104 is a widely deployed telecontrol standard in power utility SCADA and substation automation environments, providing TCP/IP transport for IEC 60870-5-101 protocol data between control centers and field devices. The RTU500 series is Hitachi Energy's remote terminal unit platform used in electrical substation automation. When configured in bidirectional communication interface (BCI) mode, the firmware's IEC 104 message parsing stack fails to validate pointer state before dereferencing when processing a particular crafted message sequence over time, classifying as CWE-476 (NULL Pointer Dereference). The root cause is a missing null check in the stateful message handler, which can be reached through a sustained sequence of protocol messages. Affected products are identified by CPE cpe:2.3:a:hitachi_energy:rtu500_series_cmu_firmware:*:*:*:*:*:*:*:*.

RemediationAI

Apply the patched CMU firmware per the Hitachi Energy advisory at https://publisher.hitachienergy.com/preview?DocumentID=8DBD000252&LanguageCode=en&DocumentPartId=&Action=Launch - exact fixed firmware version numbers are not present in the available intelligence and must be confirmed from the vendor advisory directly. As an immediate compensating control for deployments that cannot patch promptly, disabling IEC 60870-5-104 bidirectional (BCI) mode removes the vulnerable code path entirely and eliminates all exposure; however, this disables bidirectional RTU communication functionality and must be evaluated against operational requirements. As a secondary control, restrict network access to RTU500 communication interfaces at the industrial firewall or DMZ boundary to trusted control center IP addresses only, enforcing the adjacency barrier that CVSS AV:A already assumes. Combining network segmentation with prompt patching is the recommended posture for OT environments.

Share

CVE-2026-8479 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy