NULL Pointer Dereference Vulnerability in IEC 60870-5-104 Bidirectional Mode by Hitachi Energy
CVE-2026-8479

6.9MEDIUM

Key Information:

Vendor: Hitachi
Status: Rtu500 Series Cmu Firmware
Vendor: CVE Published:; 26 May 2026

What is CVE-2026-8479?

The IEC 60870-5-104 protocol used in bidirectional mode is susceptible to a NULL pointer dereference vulnerability when a specifically crafted sequence of messages is transmitted for a certain duration. This flaw can result in a Denial of Service, disrupting service availability if the IEC 60870-5-104 functionality in bidirectional mode (BCI) is enabled.

Affected Version(s)

RTU500 series CMU firmware 12.7.1 <= 12.7.7

RTU500 series CMU firmware 13.5.1 <= 13.5.4

RTU500 series CMU firmware 13.6.1 <= 13.6.3

References

https://publisher.hitachienergy.com/preview?DocumentID=8D...

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 26, 2026
Vulnerability Reserved
May 13, 2026

CVE-2026-8479 Data

JSON