Risk of Injection Attacks Due to Lack of Persistent Data Validation
CVE-2024-4872

8.8HIGH

Key Information:

Vendor: Hitachi
Status: Microscada X Sys600; Microscada Pro Sys600
Vendor: CVE Published:; 27 August 2024

Badges

📰 News Worthy

What is CVE-2024-4872?

A vulnerability has been identified in the query validation mechanism of the MicroSCADA Pro/X SYS600 product, developed by Hitachi Energy. This vulnerability allows an authenticated attacker, equipped with valid credentials, to exploit the system by injecting malicious code targeting persistent data storage. Successful exploitation of this vulnerability may compromise the integrity of the system's data and could lead to further security breaches, highlighting the significance of stringent security measures and regular software updates.

Affected Version(s)

MicroSCADA Pro SYS600 9.4 FP2 HF1 <= 9.4 FP2 HF5

MicroSCADA X SYS600 10.0 <= 10.5

MicroSCADA X SYS600 10.3 vulnerability patch 2025_01

News Articles

CVE-2024-4872 CVE-2024-3980

Hitachi Energy Vulnerabilities Plague SCADA Power Systems

The company has assessed four of the five disclosed vulnerabilities as being of high to critical severity.

References

https://publisher.hitachienergy.com/preview?DocumentID=8D...

vendor-advisory

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

📰
First article discovered
Aug 28, 2024
Vulnerability published
Aug 27, 2024
Vulnerability Reserved
May 14, 2024