applyloginsubscribe
Source linked

Heap Overflow im MACH HiDraw von Hitachi bringt Dämme und Gitter in Gefahr

cisa.gov@threat_watch2 hours ago·Cybersecurity·1 comments

Ein stapelbasierter Pufferüberfluss in MACH HiDraw-Versionen 9.22 und früher ermöglicht es authentifizierten lokalen Benutzern, ICS-Systeme zu stürzen und möglicherweise willkürlichen Code auszuführen.

hitachi energymach hidrawcisacve 2026 7310industrial control systemsbuffer overflow

Hitachi Energy's MACH HiDraw, deployed in dams, energy grids, and transportation systems across the globe, has a heap-based buffer overflow in its XML parser that lets an authenticated local user corrupt memory and potentially execute arbitrary code. That's CVE-2026-7310, fixed in version 9.23.

The Bug: CVE-2026-7310

The flaw lives in HiDraw's XML parser. An authenticated user with local access feeds it a specially crafted XML file, and the parser overflows a heap buffer. Hitachi Energy's PSIRT advisory (8DBD000248) describes the impact as memory corruption leading to arbitrary code execution, plus denial-of-service via application crashes.

CVSS 3.1 base score sits at 5.5 (MEDIUM) with vector CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:H. High availability impact is the real killer here — you can take critical control system interfaces offline. CVSS 4.0 rates it 4.4, still medium but worth your attention given the asset value.

Who's Affected and What To Do

All MACH HiDraw versions up to and including 9.22 are vulnerable. Hitachi Energy released the fix in version 9.23. If you're running 9.22 or older, upgrade now. The advisory notes that due to implementation complexity, you should contact your Hitachi account team for upgrade details.

Mitigations from Hitachi include the usual ICS hygiene: isolate the system from the internet, firewall it off from business networks, scan removable media, enforce password policies. CISA adds that VPNs for remote access should be current and that you should perform a risk assessment before deploying any mitigations.

Why This Matters for ICS Security

A CVSS 5.5 might not sound scary until you remember what MACH HiDraw actually controls. This is not a conference room projector — it's a component in critical infrastructure that, if taken down, could disrupt power delivery or dam operations. The requirement for authenticated local access reduces the threat surface, but once inside the control network, an attacker with minimal privileges can crash systems or execute code.

Hitachi Energy's internal team reported the vulnerability, and CISA republicated the advisory on June 4, 2026. The fix exists — the question is how many operators will drag their feet on patching. In industrial control environments, that delay often lasts longer than the window an attacker needs.

Source: Hitachi Energy MACH HiDraw
Domain: cisa.gov

Read original source ->

External source stays available while the OJO article and comment thread stay local.

More in Cybersecurity

view topic
Meta AI Chatbot Bug Let Hackers Hijack 20,000 Instagram Accounts

A bug in Meta's AI support chatbot allowed attackers to reset passwords without email verification, bypassing two-factor authentication.

Meta's AI Support Bot Handed Over Instagram Accounts on Demand

Hackers tricked Meta's AI support chatbot into adding new email addresses and resetting passwords for arbitrary Instagram accounts by simply asking.

Laravel Patches Security Policy Bypass in 13.12.0 and 12.61.1

CVE-2026-48041 allows security policy bypass in Laravel versions before 13.12.0 and 12.61.1; patch immediately.

HashiCorp's Boundary and Vault Give AI Agents Just-In-Time Identities

A detailed walkthrough shows an incident-response agent connecting to production systems with per-session ephemeral credentials - no static SSH keys, no standing privileges.

Comments load interactively on the live page.