PatchSiren cyber security CVE debrief
CVE-2026-2459 Hitachi Energy CVE debrief
CVE-2026-2459 is an authorization weakness in Hitachi Energy Relion REB500. The CISA-republished advisory states that an authenticated user with the Installer role can access and alter directory contents outside the role’s authorized scope. The supplied CVSS v3.1 vector is AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N, indicating concern primarily for confidentiality and integrity rather than availability. Hitachi Energy’s recommended fix is version 8.3.3.1; the advisory also recommends disabling the Installer role except during firmware update activity.
- Vendor
- Hitachi Energy
- Product
- Relion REB500
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-24
- Original CVE updated
- 2026-03-03
- Advisory published
- 2026-02-24
- Advisory updated
- 2026-03-03
Who should care
OT/ICS administrators, Hitachi Energy REB500 operators, and teams responsible for role-based access control, maintenance accounts, and firmware update procedures.
Technical summary
The advisory describes a role-based authorization issue affecting Hitachi Energy Relion REB500 through version 8.3.3.0. An authenticated user with the Installer role may be able to access and alter directories they are not authorized to modify. The issue is tracked as CVE-2026-2459, was initially published on 2026-02-24, and was updated by CISA on 2026-03-03 to republish the vendor advisory. Recommended remediation is to upgrade to 8.3.3.1; mitigation includes keeping the Installer role disabled except during firmware updates.
Defensive priority
Medium. The issue requires authentication and the Installer role, but it affects an OT product and can lead to unauthorized directory access and modification with high confidentiality and integrity impact.
Recommended defensive actions
- Upgrade Hitachi Energy Relion REB500 to version 8.3.3.1 or later, following vendor guidance.
- Keep the Installer role disabled by default and enable it only for the minimum time needed for firmware updates.
- Review which accounts can assume the Installer role and enforce least-privilege access.
- Audit affected systems for unexpected directory changes or file modifications associated with REB500 administration.
- Apply change-control and monitoring around maintenance windows so Installer-role use is time-bound and logged.
Evidence notes
The primary source is the CISA CSAF advisory for ICSA-26-062-02, which states that an authenticated user with the Installer role can access and alter directory contents outside authorized scope. The same advisory lists Hitachi Energy Relion REB500 through version 8.3.3.0 as affected, recommends upgrading to 8.3.3.1, and suggests disabling the Installer role except during firmware updates. The revision history shows initial publication on 2026-02-24 and a CISA republication/update on 2026-03-03. The supplied CVSS vector indicates network access, high privileges required, no user interaction, and high confidentiality/integrity impact with no availability impact.
Official resources
-
CVE-2026-2459 CVE record
CVE.org
-
CVE-2026-2459 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed on 2026-02-24 in a CISA CSAF advisory, with a CISA republication/update on 2026-03-03 referencing Hitachi Energy PSIRT advisory 8DBD000217.