# Hitachi Energy RTU500 Devices Face Multiple Critical Vulnerabilities **Hitachi Energy** has issued an advisory regarding a series of vulnerabilities impacting its **RTU500** series CMU Firmware, crucial components deployed in critical infrastructure across the globe. Exploitation of these flaws could lead to severe operational disruptions, primarily through Denial of Service (DoS), with potential secondary impacts on data confidentiality and integrity. [View CSAF Advisory](https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-155-04.json) ## Affected Products and Critical Infrastructure Impact The vulnerabilities affect various firmware versions of the **Hitachi Energy RTU500 series CMU Firmware**, specifically: * Versions 12.7.1 – 12.7.7 * Versions 13.5.1 – 13.5.4 * Versions 13.6.1 – 13.6.3 * Versions 13.7.1 – 13.7.8 * Version 13.8.1 These **RTU500** devices are widely deployed in critical infrastructure sectors including Dams, Energy, and Water and Wastewater systems globally. The potential for disruption in such environments underscores the urgency of addressing these security concerns. ## Deep Dive into the Vulnerabilities The disclosed vulnerabilities span several types, with a high CVSS v3 score of 7.8, indicating significant risk. They include NULL Pointer Dereferences, Integer Overflows, and Infinite Loops. ### CVE-2025-69421: NULL Pointer Dereference in PKCS#12 Processing This vulnerability, classified as [CWE-476 NULL Pointer Dereference](https://cwe.mitre.org/data/definitions/476.html), occurs when processing a malformed **PKCS#12** file. The `PKCS12_item_decrypt_d2i_ex()` function fails to check for NULL pointers, leading to a crash and a Denial of Service. This impact is limited to DoS and cannot be escalated for code execution or memory disclosure. It affects products where a privileged user uploads a malformed **PKCS#12** certificate via the web interface or if PKI client functionality is configured. [View CVE Details](https://www.cve.org/CVERecord?id=CVE-2025-69421) ### CVE-2026-24515, CVE-2026-32776, & CVE-2026-32778: Multiple libexpat NULL Pointer Dereferences Several vulnerabilities related to NULL pointer dereferences have been identified in the **libexpat** XML parsing library, which is used by **RTU500** devices when **IEC 61850** functionality is configured: * **CVE-2026-24515** ([CWE-476](https://cwe.mitre.org/data/definitions/476.html)): Occurs in `XML_ExternalEntityParserCreate` due to not copying unknown encoding handler user data, leading to DoS. * **CVE-2026-32776** ([CWE-476](https://cwe.mitre.org/data/definitions/476.html)): Allows a NULL pointer dereference with empty external parameter entity content, causing DoS. * **CVE-2026-32778** ([CWE-476](https://cwe.mitre.org/data/definitions/476.html)): A NULL pointer dereference can occur in the `setContext` function on retry after an out-of-memory condition, resulting in DoS. [View CVE-2026-24515 Details](https://www.cve.org/CVERecord?id=CVE-2026-24515) [View CVE-2026-32776 Details](https://www.cve.org/CVERecord?id=CVE-2026-32776) [View CVE-2026-32778 Details](https://www.cve.org/CVERecord?id=CVE-2026-32778) ### CVE-2026-25210: Integer Overflow in libexpat Also affecting **libexpat** when **IEC 61850** functionality is configured, **CVE-2026-25210** ([CWE-190 Integer Overflow or Wraparound](https://cwe.mitre.org/data/definitions/190.html)) stems from the `doContent` function failing to properly determine buffer size due to a missing integer overflow check for tag buffer reallocation. This primarily causes Denial of Service and potentially impacts confidentiality and integrity. [View CVE Details](https://www.cve.org/CVERecord?id=CVE-2026-25210) ### CVE-2026-32777: Infinite Loop in libexpat DTD Parsing Another **libexpat** vulnerability, **CVE-2026-32777** ([CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')](https://cwe.mitre.org/data/definitions/835.html)), can lead to an infinite loop while parsing DTD content. This, too, results in a Denial of Service, affecting products configured with **IEC 61850** functionality. [View CVE Details](https://www.cve.org/CVERecord?id=CVE-2026-32777) ### CVE-2026-8479: IEC 60870-5-104 NULL Pointer Dereference **CVE-2026-8479** ([CWE-476 NULL Pointer Dereference](https://cwe.mitre.org/data/definitions/476.html)) affects the **IEC 60870-5-104** protocol when used in bidirectional mode. A specially crafted sequence of messages can trigger a NULL pointer dereference, causing a Denial of Service. This is a concern for products configured with **IEC 60870-5-104** functionality in bidirectional mode (BCI). [View CVE Details](https://www.cve.org/CVERecord?id=CVE-2026-8479) ## Recommendations for Operators **Hitachi Energy** advises all affected users to refer to their "Recommended Immediate Actions" for information about mitigation and remediation. Given the critical nature of the affected systems, immediate attention to these advisories is paramount. IT security professionals managing **RTU500** deployments should review their configurations, update firmware where patches are available, and implement network segmentation and strict access controls to minimize exposure to potential exploits.