CVE-2024-3596 Hitachi Energy CVE debrief

Who should care

Hitachi Energy XMC20 operators, OT/ICS security teams, RADIUS administrators, and responders responsible for protecting industrial control management traffic should treat this as high priority, especially where authentication traffic crosses network boundaries.

Technical summary

The source advisory describes a forgery condition in RADIUS as implemented for XMC20. Because the Response Authenticator relies on MD5, an attacker can use a chosen-prefix collision attack to convert a valid Access-Accept, Access-Reject, or Access-Challenge into a different response. The CSAF remediation notes specifically call for enabling the RADIUS Message-Authenticator option on both ends and upgrading to XMC20 R18.

Defensive priority

Critical. Prioritize patching and RADIUS hardening for any XMC20 deployment that relies on this authentication path, then reduce exposure with segmentation and ICS network controls.

Recommended defensive actions

• Update to XMC20 R18 as recommended in the vendor advisory.
• Enable the RADIUS Message-Authenticator option on both the XMC20 and the RADIUS server.
• If upgrading is not immediately possible, segment FOX management traffic to reduce risk.
• Apply ICS network hardening: minimize exposed ports, avoid direct Internet connectivity, and enforce firewall-based separation.
• Review the vendor technical documentation and PSIRT advisory for deployment-specific guidance before changing authentication settings.

Evidence notes

This debrief is based on the supplied CISA CSAF advisory ICSA-26-036-05, which was initially released on 2026-01-27 and republished/updated on 2026-02-05 with the Hitachi Energy PSIRT advisory 8DBD000233. The record names Hitachi Energy as vendor, XMC20 as the affected product, and explicitly states the RADIUS MD5 Response Authenticator forgery mechanism plus the Message-Authenticator and XMC20 R18 remediation guidance.

Official resources