Hitachi Energy RTU500 CMU Firmware Vulnerabilities: Patch Guidance

Hitachi Energy has disclosed a series of vulnerabilities affecting the RTU500 series Remote Terminal Units (RTUs), which are widely deployed across the critical manufacturing sector. According to CISA Advisory ICSA-26-062-03, the flaws include improper handling of insufficient permissions, input validation errors, and resource exhaustion within third-party libraries. These vulnerabilities could allow an attacker to cause a device outage or harvest sensitive user management data.

Technical Analysis and Exploitation Vectors

The most impactful vulnerabilities concern the RTU’s handling of industrial communication protocols and XML parsing. CVE-2026-1773 carries a CVSS base score of 7.5 and stems from an incomplete list of disallowed inputs within the IEC 60870-5-104 protocol stack. When the RTU is configured with bi-directional functionality, an attacker can transmit an invalid U-format frame to trigger a denial of service. Security teams looking for how to detect CVE-2026-1773 exploit should focus on monitoring network traffic for malformed frames targeting port 2404 or other configured IEC 104 ports.

In addition to protocol-specific flaws, the RTU500 series is affected by vulnerabilities in the libexpat library used for XML processing, particularly when the IEC 61850 functionality is enabled. CVE-2024-8176 is a stack overflow vulnerability caused by uncontrolled recursion during entity expansion. While the primary impact is a system crash, memory corruption could theoretically lead to RCE. Furthermore, CVE-2025-59375 describes a resource exhaustion scenario where a small, crafted XML document triggers excessive memory allocation, leading to a local DDoS of the control module. Implementing libexpat stack overflow mitigation steps requires the application of vendor-provided firmware updates that incorporate patched versions of the library.

Information Disclosure in Web Interface

A medium-severity vulnerability, CVE-2026-1772, affects the web-based management interface. Although the information is not directly displayed in the UI, an unprivileged user can utilize browser development utilities to view user management information. While this does not grant Privilege Escalation immediately, it provides sensitive IoC data and internal configuration details that an APT could use for reconnaissance and lateral movement within the industrial control system (ICS) environment.

Hitachi Energy RTU500 series CMU Firmware patch guidance

Hitachi Energy has released several firmware updates to address these risks. Asset owners should prioritize patching based on their functional configurations. The following firmware versions include the necessary fixes:

• CMU Firmware 12.7.8: Resolves issues for the 12.7.x branch.
• CMU Firmware 13.7.8 or later: Resolves issues for the 13.5.x, 13.6.x, and 13.7.x branches.
• CMU Firmware 13.8.2: Resolves issues for the 13.8.x branch.

Defenders should align their mitigation strategy with MITRE ATT&CK for ICS, specifically focusing on preventing unauthorized command and control (C2) channels and ensuring that RTUs are not exposed to the public internet.

General Mitigation and Defensive Measures

For organizations unable to patch immediately, Hitachi Energy and CISA recommend several defensive strategies. First, ensure that all RTU500 devices are isolated from the business network and are not accessible from the internet. If remote access is required, it must be facilitated through a secure VPN and managed under a Zero Trust architecture.

Furthermore, for CVE-2026-1773, enabling secure communication following the IEC 62351-3 standard can mitigate the risk of exploitation, even though it does not fully remediate the underlying code flaw. Organizations should also enforce SOC monitoring for any suspicious XML traffic or unauthorized attempts to access the device’s web management portal. Proper configuration of a SIEM to alert on frequent RTU reboots or crashes can serve as an early warning for active exploitation attempts.