PatchSiren cyber security CVE debrief

CVE-2026-8479 Hitachi Energy CVE debrief

CVE-2026-8479 describes a NULL pointer dereference vulnerability in IEC 60870-5-104 bidirectional mode (BCI) within Hitachi Energy's RTU500 product. The vulnerability can be triggered by a specially crafted sequence of messages sent over a sustained period, resulting in Denial of Service (DoS) impact. The attack requires network adjacency (AV:A) and low attack complexity, with the primary impact being availability loss (VA:H). The vulnerability is only exploitable when the IEC 60870-5-104 bidirectional mode functionality is explicitly configured; systems without this configuration are not affected. The CVSS 4.0 vector indicates local network access is required, with low privileges and no user interaction needed. The weakness is classified under CWE-476 (NULL Pointer Dereference). The CVE was published on 2026-05-26 and remains in 'Deferred' status per NVD records.

Vendor: Hitachi Energy
Product: RTU500 series CMU firmware
CVSS: MEDIUM 6.9
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-05-26
Original CVE updated: 2026-05-26
Advisory published: 2026-05-26
Advisory updated: 2026-05-26

Who should care

Operational technology (OT) security teams, electric utility operators, SCADA system administrators, and organizations deploying Hitachi Energy RTU500 units with IEC 60870-5-104 bidirectional communications enabled

Technical summary

The vulnerability exists in the IEC 60870-5-104 protocol implementation when operating in bidirectional mode (BCI) on RTU500 remote terminal units. A NULL pointer dereference occurs when processing a sustained sequence of malformed protocol messages, causing the device to crash and resulting in loss of availability. The attack vector requires adjacent network access to the target system. The vulnerability is configuration-dependent and does not affect systems running IEC 60870-5-104 in unidirectional mode or with the protocol disabled entirely.

Defensive priority

medium

Recommended defensive actions

Verify if IEC 60870-5-104 bidirectional mode (BCI) is enabled on RTU500 deployments; disable if not required for operations
Apply security updates from Hitachi Energy when available per advisory Document ID 8DBD000252
Monitor network traffic for anomalous IEC 60870-5-104 message sequences targeting RTU500 systems
Implement network segmentation to restrict IEC 60870-5-104 traffic to authorized operational technology (OT) networks only
Review RTU500 configuration documentation to confirm BCI mode necessity and assess alternative unidirectional configurations

Evidence notes

Vulnerability confirmed via official Hitachi Energy security advisory (Document ID 8DBD000252). CVSS 4.0 vector: AV:A/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N. Weakness: CWE-476. NVD status: Deferred.

Official resources

2026-05-26