1. EXECUTIVE SUMMARY
- CVSS v4 7.0
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Hitachi Energy
- Equipment: RTU500 Series
- Vulnerabilities: Unrestricted Upload of File with Dangerous Type
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow the attacker to upload or transfer files of dangerous types that can be automatically processed within the product’s environment.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of Hitachi’s RTU500 series CMU Firmware are affected:
- RTU500 series CMU Firmware: Version 12.0.1 – 12.0.14
- RTU500 series CMU Firmware: Version 12.2.1 – 12.2.11
- RTU500 series CMU Firmware: Version 12.4.1 – 12.4.11
- RTU500 series CMU Firmware: Version 12.6.1 – 12.6.9
- RTU500 series CMU Firmware: Version 12.7.1 – 12.7.6
- RTU500 series CMU Firmware: Version 13.2.1 – 13.2.6
- RTU500 series CMU Firmware: Version 13.4.1 – 13.4.4
- RTU500 series CMU Firmware: Version 13.5.1 – 13.5.3
3.2 Vulnerability Overview
3.2.1 UNRESTRICTED UPLOAD OF FILE WITH DANGEROUS TYPE CWE-434
A vulnerability exists in the stb-language file handling that affects the RTU500 series product versions listed below. A malicious actor could print random memory content in the RTU500 system log, if an authorized user uploads a specially crafted stb-language file.
CVE-2024-1531 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.2 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:H).
A CVSS v4 score has also been calculated for This article has been indexed from All CISA Advisories