CVE-2026-1773 is a vulnerability in the firmware of Hitachi Energy's RTU500 series Central Management Units (CMUs), specifically in versions 12.7.1 through 13.8.1. The flaw stems from improper input validation (CWE-20) of U-format frames within the IEC 60870-5-104 protocol implementation. IEC 60870-5-104 is widely used in industrial control systems (ICS) for telecontrol and monitoring in electrical substations and energy infrastructure. The vulnerability allows an attacker to send crafted invalid U-format frames to the device when bi-directional communication is enabled, causing the CMU firmware to mishandle these frames and potentially crash or become unresponsive, resulting in a denial of service. The vulnerability does not require authentication, user interaction, or elevated privileges, and can be exploited remotely over the network. While enabling secure communication according to IEC 62351-3 (which provides security extensions for IEC 60870-5-104) does not remediate the underlying input validation flaw, it reduces the risk by protecting communication channels from unauthorized access or tampering. No public patches or fixes have been released yet, and no known exploits have been detected in the wild. The vulnerability has been assigned a CVSS 4.0 score of 8.7, reflecting its high severity due to ease of exploitation and significant impact on availability of critical infrastructure components.

The primary impact of CVE-2026-1773 is denial of service against Hitachi Energy RTU500 series CMUs, which are integral components in electrical grid and energy management systems. A successful attack could disrupt monitoring and control operations, potentially leading to loss of situational awareness, delayed response to grid events, and cascading failures in power distribution. This could affect grid stability and reliability, causing operational downtime and economic losses. Since the vulnerability can be exploited remotely without authentication, attackers with network access could cause widespread disruption. The impact extends to utilities, energy providers, and critical infrastructure operators relying on these devices. Although no data confidentiality or integrity compromise is indicated, availability degradation in such systems is critical. The lack of patches increases exposure duration, emphasizing the need for immediate mitigations. The risk is heightened in environments where IEC 60870-5-104 bi-directional communication is enabled and network segmentation or security controls are insufficient.

Organizations should first identify all RTU500 series CMUs running affected firmware versions and verify if IEC 60870-5-104 bi-directional functionality is enabled. If not required, disable this functionality to eliminate the attack vector. Implement strict network segmentation and access controls to restrict network access to these devices, limiting exposure to untrusted networks. Deploy IEC 62351-3 secure communication protocols to encrypt and authenticate IEC 60870-5-104 traffic, mitigating unauthorized frame injection. Monitor network traffic for anomalous or malformed U-format frames indicative of exploitation attempts. Coordinate with Hitachi Energy for firmware updates or patches as they become available and plan timely deployment. Employ intrusion detection systems (IDS) tailored for ICS protocols to detect exploitation attempts. Maintain robust incident response plans specific to ICS environments. Avoid exposing RTU devices directly to public or untrusted networks. Regularly audit and update security configurations and maintain awareness of vendor advisories.