CISA flags eight Hitachi Energy RTU500 denial-of-service CVEs
For plant operators, the practical question is maintenance-window timing, because the advisory leaves 13.7.9 availability unresolved.
TL;DR
CISA issued an ICS advisory for eight CVEs in Hitachi Energy RTU500 CMU firmware versions 12.7.1 through 13.8.1, led by availability impacts such as a CVSS 6.5 malformed PKCS#12 crash condition. Power, dams, and water/wastewater operators, including primes and state CISOs tracking OT exposure, should move affected deployments to 13.8.2. The fallback is 13.7.9 when available; the advisory gives no availability date.
CISA's RTU500 item is a patch-and-plan advisory. No new procurement clause or reporting duty follows from it. Hitachi Energy says the affected CMU firmware spans 12.7.1 through 13.8.1-era releases, with the worst practical result centered on device outage: malformed PKCS#12 certificate handling can crash processing, and several libexpat issues matter where IEC 61850 functionality is configured. For power, dams, and water/wastewater operators, availability is the point. The work is inventory first, then firmware planning: 13.8.2 is the available vendor fix, while 13.7.9 is listed only "when available." CISA also does not settle whether air-gapped RTU500 deployments using offline PKI are out of scope. If the device processes certificates or IEC 61850 traffic, the maintenance window still has to be found.
Published ·Deep Fathom