PatchSiren cyber security CVE debrief
CVE-2022-4203 Hitachi Energy CVE debrief
CVE-2022-4203 affects Hitachi Energy PCU400 and PCULogger in X.509 certificate verification. The issue is a read buffer overrun in name constraint checking that occurs after certificate chain signature verification. In affected deployments, the flaw can lead to a crash and denial of service, and the advisory notes a theoretical risk of private memory disclosure, though no working disclosure exploit was known at release. CISA published the advisory on 2025-02-25.
- Vendor
- Hitachi Energy
- Product
- PCU400
- CVSS
- MEDIUM 4.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-02-25
- Original CVE updated
- 2025-02-25
- Advisory published
- 2025-02-25
- Advisory updated
- 2025-02-25
Who should care
Operators and maintainers of Hitachi Energy PCU400 and PCULogger, especially where IEC62351-3 secure communications are used for IEC104/DNP3, and any deployment that relies on TLS certificate verification in a client or server role.
Technical summary
The vulnerability is a read buffer overrun in X.509 certificate verification during name constraint checking. It is reached after certificate chain signature verification. The advisory says it requires either a CA-signed malicious certificate or that the application continue certificate verification despite failing to build a path to a trusted issuer. In a TLS client, a malicious server can trigger it; in a TLS server, a malicious client can trigger it when client authentication is requested. Impact is primarily denial of service via crash, with theoretical exposure of private memory contents.
Defensive priority
Medium. The advisory describes network-triggerable behavior but also indicates the attacker usually needs a valid CA-signed malicious certificate or a configuration that continues verification after path-building failure. Prioritize remediation on exposed systems that use the affected secure communication paths.
Recommended defensive actions
- Update PCU400 to version 6.6.0 or later if IEC62351-3 secure for IEC104/DNP3 is used.
- Update PCU400 to version 9.4.2 or later if IEC62351-3 secure for IEC104/DNP3 is used.
- If PCULogger is used, plan to update to version 1.2.0 when available; the advisory says it is compatible with PCU400 9.4.2 and later.
- Review TLS certificate verification settings and avoid continuing verification when path construction to a trusted issuer fails unless explicitly required and understood.
- Limit exposure of affected systems to trusted networks and trusted certificate authorities.
- Monitor for unexpected crashes or service restarts in affected PCU400 and PCULogger deployments.
- Apply CISA ICS recommended practices and defense-in-depth guidance for industrial control systems.
Evidence notes
CISA’s advisory ICSA-25-065-01 was published on 2025-02-25 and lists CVE-2022-4203 as affecting Hitachi Energy PCU400 versions 6.5 K and below, PCU400 versions 9.4.1 and below, and PCULogger versions 1.1.0 and below. The advisory describes the flaw as a read buffer overrun in X.509 certificate verification during name constraint checking, with denial-of-service impact and only theoretical memory-disclosure risk at the time of release. Vendor remediation guidance in the source corpus is to update PCU400 to 6.6.0 or 9.4.2 depending on the product line, and to move PCULogger to 1.2.0 when available.
Official resources
-
CVE-2022-4203 CVE record
CVE.org
-
CVE-2022-4203 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed in CISA advisory ICSA-25-065-01 on 2025-02-25; the source record shows the advisory and CVE published/modified on the same date, with initial revision history entry recorded that day.