PatchSiren cyber security CVE debrief
CVE-2024-41153 Hitachi Energy CVE debrief
A command injection vulnerability in the Edge Computing UI of Hitachi Energy TRO600 series radios allows authenticated attackers with write access to the web interface to execute arbitrary system commands with root privileges. The vulnerability affects firmware versions 9.1.0.0 through 9.2.0.0 where the Edge Computing functionality is enabled. An attacker exploiting this flaw can escalate beyond their intended write privileges to gain complete administrative control of the device. The CVSS 3.1 vector indicates network attack vector, low attack complexity, high privileges required, no user interaction, and high impacts to confidentiality, integrity, and availability.
- Vendor
- Hitachi Energy
- Product
- TRO600
- CVSS
- HIGH 7.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-11-12
- Original CVE updated
- 2024-11-12
- Advisory published
- 2024-11-12
- Advisory updated
- 2024-11-12
Who should care
Organizations operating Hitachi Energy TRO600 series radios in industrial, utility, or critical infrastructure environments, particularly those with Edge Computing functionality enabled and exposed web management interfaces.
Technical summary
The Edge Computing UI component in Hitachi Energy TRO600 series radios (firmware 9.1.0.0-9.2.0.0) fails to properly sanitize user input, allowing command injection through the web interface. An authenticated user with write access can inject shell metacharacters or command separators into UI fields, resulting in arbitrary command execution with root privileges on the underlying Linux-based operating system. This represents a privilege escalation from web UI write access to full system compromise.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade affected TRO600 series radios running firmware versions 9.1.0.0 through 9.2.0.0 with Edge Computing functionality to version 9.2.0.5 or later
- Restrict physical access to TRO600 devices to authorized personnel only
- Ensure TRO600 radios are not directly connected to the Internet
- Deploy firewall segmentation with minimal exposed ports between process control networks and other networks
- Prevent use of process control systems for Internet browsing, instant messaging, or email
- Scan all portable computers and removable storage media for malware before connecting to control systems
- Review the TRO600 series Configuration Guide for secure deployment practices
- Monitor for unauthorized configuration changes or unexpected administrative activity on affected devices
Evidence notes
CVE published and advisory released 2024-11-12. CISA CSAF advisory ICSA-24-317-02 provides vendor fix and mitigation guidance. No known exploitation in the wild or KEV listing at time of disclosure.
Official resources
-
CVE-2024-41153 CVE record
CVE.org
-
CVE-2024-41153 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-11-12