CVE-2024-41156 Hitachi Energy CVE debrief

Who should care

Organizations operating Hitachi Energy TRO600 series radios in Tropos mesh networks, particularly those with multiple administrative users or concerns about insider threats and configuration data exposure.

Technical summary

The TRO600 series configuration utility exports profile files containing network configuration data. While encrypted export is available, plain-text export is also permitted, potentially exposing sensitive Tropos network topology and settings. The vulnerability requires authenticated access with write privileges, limiting attack surface to compromised or malicious authorized accounts. CVSS 3.1 vector: AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N.

Defensive priority

routine

Recommended defensive actions

• Update Hitachi Energy TRO600 series firmware to version 9.2.0.5 or later to address CVE-2024-41156.
• Restrict write access to configuration export functions to only essential administrative personnel.
• Implement network segmentation to limit exposure of Tropos network configuration details.
• Apply defense-in-depth practices per CISA ICS recommended practices for industrial control systems.
• Review and follow Hitachi Energy security advisory 8DBD000147 for additional configuration guidance.

Evidence notes

CISA published advisory ICSA-24-317-02 on 2024-11-12 documenting this issue. The source CSAF file confirms affected firmware versions range from 9.0.1.0 to 9.2.0.0, with remediation via update to 9.2.0.5.

Official resources