Multiple flaws reported in Hitachi Energy MicroSCADA Pro/X SYS600, at least one critical
Take action: As per usual, the obvious mitigation - make sure to isolate your SCADA software from the internet into a separate network. Then update all Hitachi Energy MicroSCADA Pro/X SYS600 systems to Version 10.6 immediately to protect against multiple critical vulnerabilities. For systems that cannot be updated, apply the specific vulnerability patches provided by Hitachi.
Learn More
CISA has issued an advisory regarding multiple security vulnerabilities discovered in Hitachi Energy's MicroSCADA Pro/X SYS600 products. These vulnerabilities, including a critical SQL injection flaw with a CVSS score of 9.9, could allow attackers to inject code, manipulate file systems, hijack sessions, and conduct phishing attempts.
The advisory identifies five distinct vulnerabilities affecting various versions of Hitachi Energy MicroSCADA Pro/X SYS600:
- CVE-2024-4872 (CVSS score 9.9) - Improper Neutralization of Special Elements in Data Query Logic. This vulnerability allows an authenticated attacker to inject code towards persistent data.
- CVE-2024-3980 (CVSS score 8.8) - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'. This vulnerability enables authenticated users to access or modify system or critical application files.
- CVE-2024-7940 (CVSS score 8.3) - Missing Authentication for Critical Function. The product exposes a service intended for local use to all network interfaces without authentication.
- CVE-2024-3982 (CVSS score 8.2) - Authentication Bypass by Capture-replay. An attacker with local access can potentially hijack an established session if session logging is enabled.
- CVE-2024-7941 (CVSS score 4.3) - URL Redirection to Untrusted Site ('Open Redirect'). This could be exploited for phishing attacks to steal user credentials.
Successful exploitation of these vulnerabilities could allow attackers to inject malicious code into persistent data, access and modify system files or other critical application files, hijack active sessions, execute functions without proper authentication and conduct phishing attacks against users.
Affected products
- Hitachi Energy MicroSCADA Pro/X SYS600: Version 10.0 to Version 10.5 (CVE-2024-4872, CVE-2024-3980, CVE-2024-3982)
- Hitachi Energy MicroSCADA Pro/X SYS600: Version 10.2 to Version 10.5 (CVE-2024-7940)
- Hitachi Energy MicroSCADA Pro/X SYS600: Version 10.5 (CVE-2024-7941)
- Hitachi Energy MicroSCADA Pro/X SYS600: Version 9.4 FP1 (CVE-2024-3980)
- Hitachi Energy MicroSCADA Pro/X SYS600: Version 9.4 FP2 HF1 to Version 9.4 FP2 HF5 (CVE-2024-4872, CVE-2024-3980)
Hitachi Energy has released the following mitigations:
- For CVE-2024-4872, CVE-2024-3980, CVE-2024-3982, CVE-2024-7940: Upgrade Hitachi Energy MicroSCADA X SYS600 versions 10.3, 10.4, or 10.5 with the version respective vulnerability patch 2025_01, or update to Version 10.6.
- For CVE-2024-7941: Update Hitachi Energy MicroSCADA X SYS600 to Version 10.6.
- For CVE-2024-4872, CVE-2024-3980: Apply Patch 9.4 FP2 HF6 for Hitachi Energy MicroSCADA Pro SYS600 (installation of previous FP2 hotfixes required prior to HF6).
Additional recommended security practices include:
- Ensure physical protection of control systems
- Isolate control systems from the Internet using properly configured firewalls
- Avoid using control systems for Internet browsing or email
- Scan portable computers and removable media for malware
- Implement proper password policies
- Deploy the product following the "MicroSCADA cybersecurity deployment guideline"
No public exploitation of these vulnerabilities has been reported to CISA at the time of the advisory.
