PatchSiren cyber security CVE debrief
CVE-2024-11499 Hitachi Energy CVE debrief
CVE-2024-11499 is a medium-severity availability issue in Hitachi Energy RTU500 Series CMU Firmware. According to the CISA CSAF advisory, an authenticated and authorized attacker can trigger a CMU restart when certificates are updated while they are in use on active connections. The CMU is described as automatically recovering after a successful exploit, but the restart can still interrupt service. The advisory was published on 2025-03-25 and later revised to add fixed versions for some branches.
- Vendor
- Hitachi Energy
- Product
- CMU Firmware
- CVSS
- MEDIUM 4.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-03-25
- Original CVE updated
- 2025-09-09
- Advisory published
- 2025-03-25
- Advisory updated
- 2025-09-09
Who should care
Operators and maintainers of Hitachi Energy RTU500 environments, especially teams that manage IEC 60870-5-104 controlled station functionality, certificate lifecycle operations, and availability-sensitive OT/ICS deployments.
Technical summary
The advisory describes a network-reachable attack path with high privileges required (CVSS 3.1: AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). The triggering condition is certificate replacement while those certificates are actively used on live connections, which can cause the CMU to restart. The affected firmware ranges are 13.4.1–13.4.4, 13.5.1–13.5.3, 13.6.1, and 13.7.1–13.7.4. Fixed versions listed in the advisory revisions are 13.5.4, 13.6.3, and 13.7.7; for 13.4.1–13.4.4, the supplied remediation guidance points to general mitigation factors/workarounds and upgrading when a remediated version is available.
Defensive priority
Medium priority. Prioritize if the CMU is externally reachable, certificate updates are routine, or a restart would affect critical control communications; otherwise schedule remediation into the next maintenance cycle and apply vendor workarounds now.
Recommended defensive actions
- Upgrade to the vendor-fixed firmware version that matches your branch: 13.5.4, 13.6.3, or 13.7.7.
- For affected 13.4.1–13.4.4 systems, apply the vendor's General Mitigation Factors/Workarounds and monitor for a remediated release.
- Review certificate update procedures so changes are performed in a controlled maintenance window and only in line with vendor guidance for active connections.
- Validate whether any RTU500 CMU deployments are exposed to authenticated remote administration paths that could reach certificate-management functions.
- Use defense-in-depth controls appropriate for ICS assets, including segmentation and least-privilege administrative access.
Evidence notes
Primary evidence comes from the CISA CSAF advisory ICSA-25-093-01 for Hitachi Energy RTU500 Series (Update B), published 2025-03-25 and revised 2025-09-09. The advisory lists affected CMU Firmware versions 13.4.1–13.4.4, 13.5.1–13.5.3, 13.6.1, and 13.7.1–13.7.4, and remediation entries for 13.5.4, 13.6.3, and 13.7.7 plus general mitigation guidance. The description explicitly says the issue can be triggered when certificates are updated while in use on active connections and that the affected CMU automatically recovers after exploitation.
Official resources
-
CVE-2024-11499 CVE record
CVE.org
-
CVE-2024-11499 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA CSAF advisory ICSA-25-093-01 was published on 2025-03-25 and revised on 2025-09-09; the revision history added fixed versions 13.5.4, 13.6.3, and 13.7.7.