1. EXECUTIVE SUMMARY
- CVSS v4 8.2
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Hitachi Energy
- Equipment: RTU500 series
- Vulnerabilities: NULL Pointer Dereference, Improper Validation of Integrity Check Value, Improper Restriction of XML External Entity Reference, Heap-based Buffer Overflow, Integer Overflow or Wraparound, Improper Restriction of Recursive Entity References in DTDs (‘XML Entity Expansion’), Stack-based Buffer Overflow
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could cause a Denial-of-Service condition in RTU500 devices.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Hitachi Energy reports that the following products are affected:
- Hitachi Energy RTU500 series: Version 13.6.1 (CVE-2023-2953, CVE-2025-39203, CVE-2025-6021)
- Hitachi Energy RTU500 series: Versions 12.7.1 through 12.7.7 (CVE-2023-2953, CVE-2025-39203, CVE-2025-6021)
- Hitachi Energy RTU500 series: Versions 13.4.1 through 13.4.4 (CVE-2025-39203)
- Hitachi Energy RTU500 series: Versions 13.5.1 through 13.5.3 (CVE-2023-2953, CVE-2025-39203, CVE-2025-6021)
- Hitachi Energy RTU500 series: Versions 13.7.1 through 13.7.6
3.2 VULNERABILITY OVERVIEW
3.2.1 NULL POINTER DEREFERENCE CWE-476
A vulnerability has been identified in the openLDAP library used in Central Account Management (CAM) client. This issue can lead to a Denial of Service (DoS) condition when a specially crafted request may cause a null pointer to dereference, resulting in affected CMU to automatically recovering itself by rebooting.
CVE-2023-2953 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is ([…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: