CISA flags CVE-2026-7310 in Hitachi MACH HiDraw
Local authenticated access lowers the heat, but dams and energy operators still need version 9.23 in the plan.
TL;DR
CISA republished Hitachi Energy’s advisory for CVE-2026-7310, a heap-based buffer overflow in MACH HiDraw versions 9.22 and prior. The flaw sits in XML parser functionality and requires an authenticated malicious user with local access and a crafted XML file. Operators in dams, energy, and transportation systems should move to version 9.23, though Hitachi’s case-by-case upgrade language is the real OT caveat.
This is not a drop-everything internet-exposed emergency. CISA lists CVE-2026-7310 as medium severity, with CVSS 3.1 at 5.5 and CVSS 4.0 at 4.4, and the exploit path requires authenticated local access plus user interaction through a specially crafted XML file. That still matters in operational technology environments because the affected product, Hitachi Energy MACH HiDraw, is deployed worldwide in dams, energy, and transportation systems. Successful exploitation could crash the application, corrupt memory, and potentially allow arbitrary code execution.
The practical fix is straightforward on paper: upgrade MACH HiDraw 9.22 and earlier to version 9.23. The harder sentence is Hitachi’s: “Due to the complexity of individual implementation of the project, contact local account team for further information on possible upgrades.” That is the usual place where OT patching stops being a vulnerability-management ticket and becomes a site-specific maintenance decision. For primes and critical-infrastructure operators, the Monday task is inventory first, then plan the 9.23 move with the local Hitachi team before this medium-severity advisory becomes a preventable outage story.
Published ·Deep Fathom