CVE-2026-2460 Hitachi Energy CVE debrief

Who should care

Organizations running Hitachi Energy Relion REB500, especially OT/ICS administrators, security teams, and identity/access-control owners responsible for authenticated user permissions and directory access.

Technical summary

The advisory describes an authorization bypass-style condition: an authenticated user with low-level privileges can access and modify directories using the DAC protocol beyond their intended permissions. CISA lists the issue with CVSS 3.1 vector AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N (score 6.8), indicating network reachability, low privileges required, and high confidentiality/integrity impact. The provided remediation is to update to Relion REB500 version 8.3.3.1 and apply the vendor's general mitigation factors.

Defensive priority

Medium. Prioritize if REB500 is exposed to broad authenticated access, shared operator accounts, or environments where directory integrity affects operational safety or configuration control.

Recommended defensive actions

• Update Hitachi Energy Relion REB500 to version 8.3.3.1 as recommended by the advisory.
• Restrict authenticated low-privilege accounts to only the minimum DAC and directory access they require.
• Review directory permissions, role assignments, and any workflows that rely on DAC protocol access.
• Monitor for unexpected directory changes or authorization anomalies involving REB500 management paths.
• Apply the vendor's general mitigation factors and CISA recommended industrial control system defensive practices.

Evidence notes

Source evidence comes from CISA CSAF advisory ICSA-26-062-02 for CVE-2026-2460, published 2026-02-24 and republished by CISA on 2026-03-03 as an initial republication of Hitachi Energy PSIRT advisory 8DBD000217. The advisory text states that an authenticated user with low-level privileges may access and alter directory content via the DAC protocol without authorization. The supplied enrichment marks this as not in CISA KEV.

Official resources