PatchSiren cyber security CVE debrief
CVE-2026-1773 Hitachi Energy CVE debrief
CVE-2026-1773 is a high-severity denial-of-service vulnerability affecting Hitachi Energy RTU500 series CMU Firmware when IEC 60870-5-104 bi-directional functionality is configured. According to the CISA advisory, reception of an invalid U-format frame can trigger a DoS condition. The issue was publicly disclosed on 2026-02-24 and the advisory was republished on 2026-03-03 after CISA incorporated the vendor PSIRT notice.
- Vendor
- Hitachi Energy
- Product
- RTU500 series CMU Firmware
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-24
- Original CVE updated
- 2026-03-03
- Advisory published
- 2026-02-24
- Advisory updated
- 2026-03-03
Who should care
OT/ICS operators using Hitachi Energy RTU500 series CMU Firmware, especially environments that enable IEC 60870-5-104 bi-directional communications. Security teams responsible for industrial communications, patch management, and segmentation should prioritize review.
Technical summary
The advisory describes an IEC 60870-5-104 handling flaw that can cause denial of service when an invalid U-format frame is received. Impact is limited to systems with IEC 60870-5-104 bi-directional functionality enabled. Affected firmware ranges listed in the advisory include 12.7.1 through 12.7.7, 13.5.1 through 13.5.4, 13.6.1 through 13.6.2, 13.7.1 through 13.7.7, and 13.8.1. The vendor notes that enabling secure communication per IEC 62351-3 does not remediate the vulnerability, but may reduce exploitation risk.
Defensive priority
High. This is a network-reachable availability issue in an OT product, with no user interaction required per the supplied CVSS vector. Prioritize exposed or bi-directional IEC 60870-5-104 deployments first, then schedule firmware remediation and compensating controls.
Recommended defensive actions
- Upgrade to the vendor-fixed firmware version appropriate for the deployed branch: 12.7.8, 13.7.8 or later, or 13.8.2 as listed in the advisory.
- Inventory RTU500 series CMU Firmware deployments and confirm whether IEC 60870-5-104 bi-directional functionality is enabled.
- If immediate patching is not possible, apply vendor-provided mitigation factors/workarounds and reduce exposure of affected communications paths.
- Review segmentation and access control around IEC 60870-5-104 traffic, especially where bi-directional links are operational.
- Treat IEC 62351-3 secure communication as a risk-reduction measure only; do not rely on it as a fix for this vulnerability.
- Validate remediation in maintenance windows appropriate for OT availability requirements and confirm firmware versions after upgrade.
Evidence notes
Source advisory: CISA ICS Advisory ICSA-26-062-03, issued 2026-02-24 and republished 2026-03-03. The source metadata identifies the product as Hitachi Energy RTU500 Product / RTU500 series CMU Firmware. The supplied input vendor fields contain a mismatch ('Unknown Vendor' vs. Hitachi Energy); the advisory content itself consistently attributes the issue to Hitachi Energy. No exploit details are included here; this summary relies only on the supplied advisory corpus and official reference links.
Official resources
-
CVE-2026-1773 CVE record
CVE.org
-
CVE-2026-1773 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed in CISA advisory ICSA-26-062-03 on 2026-02-24, with a CISA republication of the vendor advisory on 2026-03-03.