CVE-2026-1773 is a vulnerability classified under CWE-184 (Incomplete List of Disallowed Inputs) found in the firmware of Hitachi Energy's RTU500 series Central Management Unit (CMU). The flaw lies in the firmware's handling of IEC 60870-5-104 protocol U-format frames, which are control frames used in supervisory control and data acquisition (SCADA) systems for electric utility automation. Specifically, the firmware does not adequately validate or reject certain malformed or invalid U-format frames, allowing an attacker to send crafted invalid frames that the device cannot properly process. This leads to a denial of service condition, potentially causing the CMU to become unresponsive or disrupt communication. The vulnerability is only exploitable if the IEC 60870-5-104 bi-directional communication feature is enabled on the device. Although enabling IEC 62351-3 secure communication (which provides authentication and encryption for IEC 60870-5-104) reduces the risk of exploitation by restricting unauthorized access, it does not eliminate the underlying input validation flaw. The affected firmware versions range from 12.7.1 to 13.8.1. The CVSS 4.0 vector indicates the attack can be launched remotely over the network without any privileges or user interaction, with a high impact on availability but no impact on confidentiality or integrity. No patches or exploits are currently publicly available, but the vulnerability poses a significant risk to operational continuity in critical infrastructure environments where these devices are deployed.

The primary impact of CVE-2026-1773 is a denial of service condition on Hitachi Energy RTU500 series CMU devices, which are commonly used in electric utility automation and critical infrastructure SCADA systems. Disruption of these devices can lead to loss of monitoring and control capabilities, potentially causing operational outages, delayed fault detection, or unsafe conditions in power grid management. Since the vulnerability can be exploited remotely without authentication, attackers could disrupt large-scale industrial control systems if the bi-directional IEC 60870-5-104 functionality is enabled and accessible. This could affect grid stability and reliability, leading to financial losses, regulatory penalties, and safety hazards. The lack of known exploits reduces immediate risk, but the high CVSS score and critical role of these devices in infrastructure elevate the threat level. Organizations relying on these devices must consider the risk of service disruption and potential cascading effects on dependent systems.

Organizations should first verify whether IEC 60870-5-104 bi-directional communication is enabled on their RTU500 series CMU devices; if not required, disable this feature to eliminate exposure. For systems requiring this functionality, implement IEC 62351-3 secure communication to restrict access and reduce the risk of unauthorized exploitation, although this does not fully fix the vulnerability. Monitor network traffic for anomalous or malformed U-format frames targeting these devices and employ network segmentation and firewall rules to limit exposure of CMUs to untrusted networks. Since no patches are currently available, maintain close contact with Hitachi Energy for firmware updates addressing this issue and plan for timely deployment once released. Additionally, implement robust incident response plans to quickly detect and recover from potential denial of service events. Regularly audit device configurations and update security policies to minimize attack surface.