PatchSiren cyber security CVE debrief
CVE-2023-5769 Hitachi Energy CVE debrief
CVE-2023-5769 affects Hitachi Energy RTU500 series CMU firmware in the HCI IEC 60870-5-104 component. The advisory says incomplete or wrong received APDU frame layout, or delayed reception of APDU data octets, may cause endless blocking while incoming frames are read on the link layer. The impact is availability-only and limited to the affected communication link; if the attack sequence stops, the previously attacked link returns to normal. The supplied CVSS v3.1 vector (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) matches a network-reachable denial-of-service condition in an OT communication path.
- Vendor
- Hitachi Energy
- Product
- RTU500 series Product
- CVSS
- MEDIUM 5.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2023-11-28
- Original CVE updated
- 2024-12-18
- Advisory published
- 2023-11-28
- Advisory updated
- 2024-12-18
Who should care
OT/ICS operators using Hitachi Energy RTU500 series CMU firmware, especially teams responsible for IEC 60870-5-104 communications, substation connectivity, and patch management. Network defenders who monitor or segment industrial control traffic should also review exposure.
Technical summary
The issue is in HCI IEC 60870-5-104 link-layer handling. According to the advisory, if the device receives APDU data with wrong length information or delayed data octets, the receive path can become blocked indefinitely for that communication link. No confidentiality or integrity impact is described; the issue affects availability only. The source corpus lists affected CMU firmware series 12.0.1–12.0.14, 12.2.1–12.2.11, 12.4.1–12.4.11, 12.6.1–12.6.9, 12.7.1–12.7.6, 13.2.1–13.2.6, and 13.4.1–13.4.3.
Defensive priority
Medium. The vulnerability is network-reachable and can disrupt IEC 60870-5-104 communication, but the documented impact is limited to one link and recovery occurs when the attack sequence stops. Prioritize patching during the next planned OT maintenance window and apply compensating controls if immediate update is not possible.
Recommended defensive actions
- Update RTU500 series CMU firmware to the vendor-fixed version for your branch: 12.0.15, 12.2.12, 12.4.12, 12.6.10, 12.7.7, 13.2.7, or 13.4.4; the remediation text also lists 13.5.1.
- Inventory RTU500 series deployments and confirm whether any CMU firmware falls within the affected ranges listed in the advisory.
- Review IEC 60870-5-104 exposure and limit access to trusted OT management and control networks.
- Apply CISA ICS recommended practices and defense-in-depth guidance for segmentation, monitoring, and least-privilege access around industrial communication paths.
- Monitor for unusual or repeated link-layer communication failures on IEC 60870-5-104 links until patching is complete.
Evidence notes
The technical description, affected versions, and fixed versions are drawn from the CISA CSAF advisory record for ICSA-25-128-02 / CVE-2023-5769 and its revision history. The vulnerability description states that incomplete or wrong APDU layout or delayed APDU octets can block a communication link, and the CVSS vector AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H supports availability-only impact. General defensive guidance is grounded in the linked CISA ICS recommended-practices resources.
Official resources
-
CVE-2023-5769 CVE record
CVE.org
-
CVE-2023-5769 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed in the CISA CSAF advisory and vendor advisory on 2023-11-28. CISA later revised the advisory multiple times, with the latest supplied update on 2024-12-18 adding or correcting fixed versions in the Recommended Actions and