1. EXECUTIVE SUMMARY
- CVSS v4 7.1
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Hitachi Energy
- Equipment: MicroSCADA X SYS600
- Vulnerabilities: Incorrect Default Permissions, External Control of File Name or Path, Improper Validation of Integrity Check Value, Exposure of Sensitive Information Through Data Queries, Improper Certificate Validation
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to tamper with the system file, overwrite files, create a denial-of-service condition, or leak file content.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Hitachi Energy reports that the following products are affected:
- Hitachi Energy MicroSCADA Pro/X SYS600: version 10.0 up to 10.6 (CVE-2025-39201, CVE-2025-39202, CVE-2025-39204, CVE-2025-39205)
- Hitachi Energy MicroSCADA Pro/X SYS600: version 10.5 up to 10.6 (CVE-2025-39203)
- Hitachi Energy MicroSCADA Pro/X SYS600: version 10.3 up to 10.6 (CVE-2025-39205)
3.2 VULNERABILITY OVERVIEW
3.2.1 INCORRECT DEFAULT PERMISSIONS CWE-276
A vulnerability exists in the mailslot functionality of the MicroSCADA X SYS600 product. If exploited this could allow a local attacker to tamper the mailslot configuration file, making denial of mailslot a related service.
CVE-2025-39201 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.1 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H).
A CVSS v4 score has also been calculated for CVE-2025-39201. A base score of 6.9 has been calculated; the CVSS vector string is ([…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: