What is CVE-2024-4872 and how severe is it?

CVE-2024-4872 has a CVSS score of 9.3 (Critical) and involves Improper Neutralization of Special Elements in Data Query Logic in the query validation of the MACH GWS product. If exploited, this could allow an authenticated attacker to inject code towards persistent data. Note that to successfully exploit this vulnerability, an attacker must have valid credentials.

What is CVE-2024-3980 and how severe is it?

CVE-2024-3980 has a CVSS score of 9.3 (Critical) and involves Improper Limitation of a Pathname to a Restricted Directory (Path Traversal). The MACH GWS product allows authenticated user input to control or influence paths or file names used in filesystem operations. If exploited, the vulnerability allows the attacker to access or modify system files or other files that are critical to the application.

What is CVE-2024-7940 and how severe is it?

CVE-2024-7940 has a CVSS score of 8.8 (High) and involves Missing Authentication for Critical Function. The MACH GWS product exposes a service that is intended for local use only to all network interfaces without any authentication, potentially allowing unauthorized access.

What is CVE-2024-3982 and how severe is it?

CVE-2024-3982 has a CVSS score of 7.3 (High) and involves Authentication Bypass by Capture-replay. An attacker with local access to the machine where MACH GWS is installed could enable session logging supporting the product and attempt to exploit a session hijacking of an already established session. Note that by default, the session logging level is not enabled, and only users with administrator rights can enable it.

Which versions of MACH GWS are affected by these vulnerabilities?

The following Hitachi Energy products and versions are affected: MACH GWS Version 2.1.0.0 is affected by CVE-2024-4872 and CVE-2024-3980; MACH GWS Versions 2.2.0.0 to 2.4.0.0 are affected by CVE-2024-4872 and CVE-2024-3980; MACH GWS Versions 3.0.0.0 to 3.3.0.0 are affected by CVE-2024-4872, CVE-2024-3980, and CVE-2024-3982; and MACH GWS Versions 3.1.0.0 to 3.3.0.0 are affected by CVE-2024-7940.

What updates or patches does Hitachi Energy recommend to address these vulnerabilities?

Hitachi Energy recommends that users update to the following versions: For MACH GWS Versions 3.0.0.0 to 3.3.0.0, upgrade to version 3.4.0.0; For MACH GWS Version 2.1.0.0, apply patches HF1 to HF6 sequentially; For MACH GWS Versions 2.2.0.0 to 2.4.0.0, apply patches HF3 to HF6 sequentially.

What is MACH GWS and why are these vulnerabilities significant?

MACH GWS (Gateway Station) is a product developed by Hitachi Energy that serves as a gateway and communication interface for power grid systems. These vulnerabilities are significant because they could potentially allow attackers to compromise critical infrastructure systems by injecting code, accessing or modifying system files, bypassing authentication, or hijacking user sessions.

Do any of these vulnerabilities allow unauthorized access without credentials?

Yes, CVE-2024-7940 (CVSS score 8.8) involves a Missing Authentication for Critical Function vulnerability where the MACH GWS product exposes a service that is intended for local use only to all network interfaces without any authentication, potentially allowing unauthorized access. The other vulnerabilities generally require some level of authentication or local access to exploit.

Advisory

Critical vulnerabilities reported in Hitachi Energy MACH GWS products

Q: What security vulnerabilities has Hitachi Energy recently reported?

Hitachi Energy is reporting multiple critical security vulnerabilities affecting their MACH GWS (Gateway Station) products. MACH GWS serves as a gateway and communication interface for power grid systems. These security flaws could allow attackers to inject code, read or modify files, hijack user sessions, or access exposed ports without proper authentication.

published: May 14, 2025

Take action: If you're using Hitachi Energy MACH GWS products in your power grid infrastructure, isolate these systems from external networks, implement firewall rules, and ensure only authorized personnel have physical access. Then plan an update to the recommended versions.

Learn More

Hitachi Energy is reporting a critical flaw in disclosed multiple critical security vulnerabilities affecting their MACH GWS products. MACH GWS (Gateway Station) is a product developed by Hitachi Energy that serves as a gateway and communication interface for power grid systems.

These security flaws could allow attackers to inject code, read or modify files, hijack user sessions, or access exposed ports without proper authentication.

Vulnerabilities summary

CVE-2024-4872 (CVSS score 9.3) Improper Neutralization of Special Elements in Data Query Logic in the query validation of the MACH GWS product. If exploited, this could allow an authenticated attacker to inject code towards persistent data. Note that to successfully exploit this vulnerability, an attacker must have valid credentials.
CVE-2024-3980 (CVSS score 9.3) Improper Limitation of a Pathname to a Restricted Directory (Path Traversal). The MACH GWS product allows authenticated user input to control or influence paths or file names used in filesystem operations. If exploited, the vulnerability allows the attacker to access or modify system files or other files that are critical to the application.
CVE-2024-7940 (CVSS score 8.8): Missing Authentication for Critical Function. The MACH GWS product exposes a service that is intended for local use only to all network interfaces without any authentication, potentially allowing unauthorized access.
CVE-2024-3982 (CVSS score 7.3) Authentication Bypass by Capture-replay. An attacker with local access to the machine where MACH GWS is installed could enable session logging supporting the product and attempt to exploit a session hijacking of an already established session. Note that by default, the session logging level is not enabled, and only users with administrator rights can enable it.

The following Hitachi Energy products and versions are affected:

MACH GWS Version 2.1.0.0: Affected by CVE-2024-4872, CVE-2024-3980
MACH GWS Versions 2.2.0.0 to 2.4.0.0: Affected by CVE-2024-4872, CVE-2024-3980
MACH GWS Versions 3.0.0.0 to 3.3.0.0: Affected by CVE-2024-4872, CVE-2024-3980, CVE-2024-3982
MACH GWS Versions 3.1.0.0 to 3.3.0.0: Affected by CVE-2024-7940

Hitachi Energy recommends that users update to the following versions:

MACH GWS Versions 3.0.0.0 to 3.3.0.0: Upgrade to version 3.4.0.0
MACH GWS Version 2.1.0.0: Apply patches HF1 to HF6 sequentially
MACH GWS Versions 2.2.0.0 to 2.4.0.0: Apply patches HF3 to HF6 sequentially

Critical vulnerabilities reported in Hitachi Energy MACH GWS products

Read More
Multiple critical flaws in Planet Technology WGS-804HPT industrial …
CISA warns of critical flaw in Schneider Electric …
Critical vulnerabilities reported in EG4 electronics solar inverters
Multiple critical flaws reported in MICROSENS NMP Web+ …
Rockwell ThinManager Critical Vulnerabilities expose Industrial Interfaces