CISA flags eight Hitachi Energy RTU500 firmware CVEs
For operators, this is a firmware inventory problem before it is a vulnerability-management talking point.
TL;DR
CISA published an ICS advisory for eight CVEs in Hitachi Energy RTU500 CMU firmware, affecting versions 12.7.1 through 13.8.1. Dams, energy, and water operators, including primes and defense-industrial-base contractors running the devices, face mainly availability exposure. Hitachi Energy’s fixes are CMU firmware 13.8.2 or 13.7.9, though CISA notes 13.7.9 as available “when available.”
CISA’s advisory puts the operational task plainly: identify Hitachi Energy RTU500 CMU firmware in the affected 12.7.1 through 13.8.1 ranges, then plan the firmware move to 13.8.2 or 13.7.9 depending on the installed branch. The vulnerabilities primarily affect product availability, with possible secondary confidentiality and integrity impact, and the affected critical-infrastructure sectors are dams, energy, and water and wastewater.
The remediation detail matters because this is operational technology, not a laptop patch ring. CISA lists update paths to CMU firmware 13.8.2 and to 13.7.9, but the 13.7.9 entry is marked “when available.” Operators that cannot move directly to 13.8.2 should treat that as a scheduling constraint, not a waiver. The Monday work is asset inventory, firmware-version confirmation, and maintenance-window planning.
Published ·Deep Fathom