Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Cleartext channel requires a MITM/interception position (AC:H) and a user-initiated simulation (UI:R); high confidentiality exposure with only limited in-transit tampering (I:L) and no availability impact.
Primary rating from Vendor (Hitachi Energy).
CVSS VectorVendor: Hitachi Energy
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
PROMOD V is using insecure HTTP communication instead of HTTPS. The vulnerability is due to the lack of HTTPS support from 3rd party Digipede server.
AnalysisAI
Cleartext-transmission exposure in Hitachi Energy PROMOD V allows a network man-in-the-middle to intercept or read sensitive data because the application relies on unencrypted HTTP rather than HTTPS when communicating with a third-party Digipede grid-computing server. The flaw (CWE-1428, reliance on an insecure communications channel) carries a CVSS 4.0 base score of 7.0 and is rated high confidentiality impact with limited integrity impact; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the PROMOD V deployment to use the third-party Digipede server for distributed computation, since that is the channel transmitted over HTTP instead of HTTPS, and it requires a user to actively initiate the communication (UI:A) - a simulation run that triggers the PROMOD-to-Digipede exchange. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The supplied CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:N) describes an unauthenticated, network-reachable issue with high confidentiality but only low integrity impact and no availability impact, requiring active user interaction (a user must run a simulation that triggers the Digipede communication). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker positioned on the local network or upstream path between a PROMOD V workstation and the Digipede server (e.g., via ARP spoofing on a shared LAN or a compromised switch) passively captures the unencrypted HTTP traffic when an analyst launches a distributed simulation, recovering sensitive model or operational data. With a MITM foothold the attacker could also alter low-impact in-transit content. … |
| Remediation | No vendor-released patched version was identified in the available data - consult the Hitachi Energy advisory (https://publisher.hitachienergy.com/preview?DocumentID=8DBD000250) for the authoritative fixed release and apply it once published. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all Hitachi Energy PROMOD V installations and determine which communicate with Digipede servers over untrusted network segments; assess data classification of communications. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40275
GHSA-jm8g-r6p8-h3xf