PatchSiren cyber security CVE debrief
CVE-2024-28757 Hitachi Energy CVE debrief
CVE-2024-28757 is a medium-severity availability issue in Hitachi Energy RTU500 series components that use libexpat for IEC 61850 client and server processing. According to the CISA CSAF advisory published on 2025-09-16, an authenticated and authorized malicious user could load crafted XML input that may cause memory mismanagement and potentially reboot the RTU500. Hitachi Energy’s remediation guidance calls out a firmware update for CMU Firmware 13.7.1 through 13.7.6 to version 13.7.7, along with general mitigation factors/workarounds. The practical risk is operational disruption rather than code execution or data theft: the described impact is device reboot, which can interrupt control availability in industrial environments. Organizations running the RTU500 series should treat this as a priority maintenance item wherever the affected CMU firmware range is deployed and authenticated access to IEC 61850 interfaces exists.
- Vendor
- Hitachi Energy
- Product
- Unknown
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-09-16
- Original CVE updated
- 2025-09-16
- Advisory published
- 2025-09-16
- Advisory updated
- 2025-09-16
Who should care
OT/ICS operators, control engineers, and security teams responsible for Hitachi Energy RTU500 deployments—especially systems running CMU Firmware 13.7.1 through 13.7.6 and exposing IEC 61850 client/server functionality to authenticated users.
Technical summary
The advisory describes a libexpat-related memory mismanagement condition in the IEC 61850 client and server components of the RTU500 product series. A successful trigger requires an authenticated and authorized malicious user to supply crafted XML input. The stated outcome is a reboot of RTU500, so the primary security impact is availability loss. The provided CVSS vector (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) aligns with a network-reachable, low-complexity, low-privilege, no-user-interaction availability issue. Hitachi Energy’s listed remediation is to update CMU Firmware 13.7.1 through 13.7.6 to 13.7.7 and follow the associated mitigation guidance.
Defensive priority
Medium-high. The vulnerability is not described as remotely unauthenticated, but it can still interrupt industrial operations by rebooting affected RTU500 systems. Prioritize if the affected firmware range is deployed in production or where IEC 61850 interfaces are reachable by authorized users.
Recommended defensive actions
- Upgrade RTU500 series CMU Firmware version 13.7.1 through 13.7.6 to CMU Firmware version 13.7.7, as specified by Hitachi Energy.
- Review and apply the general mitigation factors/workarounds referenced in the vendor advisory for CVE-2024-28757.
- Limit and monitor authenticated access to IEC 61850 client/server functions and XML-bearing workflows on affected RTU500 systems.
- Validate operational resilience, including failover and reboot recovery procedures, before and after remediation.
Evidence notes
This debrief is based on the CISA CSAF advisory for ICSA-25-259-02 and the CVE record metadata supplied in the source corpus. The core claims used here are limited to the advisory description: libexpat use in RTU500 IEC 61850 client/server components, crafted XML input from an authenticated and authorized malicious user, memory mismanagement, and possible reboot. Remediation details are taken from the advisory’s listed mitigation entries, including the CMU Firmware 13.7.7 update path for versions 13.7.1 through 13.7.6. No exploitation evidence, KEV listing, or threat-campaign attribution was supplied.
Official resources
-
CVE-2024-28757 CVE record
CVE.org
-
CVE-2024-28757 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed on 2025-09-16 via CISA CSAF advisory ICSA-25-259-02; no earlier or later CVE issue date is used here.