CVE-2026-1772 identifies a vulnerability in the Hitachi Energy RTU500 series CMU firmware, specifically related to improper handling of insufficient permissions (CWE-280). The RTU500 devices provide a web interface for management, which is designed to restrict access to sensitive user management information to privileged users only. However, due to flawed permission enforcement, an unprivileged user can bypass these restrictions by leveraging browser development tools to access user management data that is not normally exposed via the web interface. This vulnerability affects firmware versions 12.7.1, 13.5.1, 13.6.1, 13.7.1, and 13.8.1. The CVSS 4.0 base score is 5.3, reflecting a medium severity level, with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:L), no user interaction (UI:N), and limited confidentiality impact (VC:L). The flaw does not impact integrity or availability. No authentication or user interaction is needed, making exploitation feasible for any network-connected attacker with access to the device’s web interface. No patches or known exploits have been reported at the time of publication, but the exposure of user management information could facilitate further attacks such as privilege escalation or unauthorized access. The vulnerability is significant in environments where RTU500 devices are deployed, particularly in critical infrastructure sectors like energy and utilities, where these devices monitor and control operational technology systems.

The primary impact of CVE-2026-1772 is the unauthorized disclosure of user management information, which compromises confidentiality. This information could include usernames, roles, or other sensitive configuration details that an attacker could leverage to plan further attacks, such as privilege escalation or lateral movement within the network. Although the vulnerability does not directly affect system integrity or availability, the exposure of sensitive data in critical infrastructure environments could lead to increased risk of operational disruption or sabotage if combined with other vulnerabilities or attack vectors. Organizations worldwide using Hitachi Energy RTU500 devices in energy, utilities, or industrial control systems face potential risks, especially if these devices are accessible from less secure network segments. The medium severity rating reflects that while exploitation is relatively straightforward, the scope of impact is limited to information disclosure without immediate control over device functions.

To mitigate CVE-2026-1772, organizations should first verify if their RTU500 devices run affected firmware versions (12.7.1, 13.5.1, 13.6.1, 13.7.1, 13.8.1) and monitor vendor communications for patches or firmware updates addressing this issue. In the absence of an official patch, network segmentation should be enforced to restrict access to the RTU500 web interface only to trusted and authenticated users within secure network zones. Implement strict access control lists (ACLs) and firewall rules to limit exposure of the device management interface. Additionally, disable or restrict browser developer tools usage on management workstations where feasible, and conduct regular audits of user permissions and device configurations to detect anomalous access attempts. Employ network monitoring and intrusion detection systems to identify suspicious activities targeting the RTU500 devices. Finally, educate operational technology personnel about this vulnerability and encourage prompt reporting of any unusual behavior related to device management interfaces.