CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2025-27631
https://notcve.org/view.php?id=CVE-2025-27631
25 Mar 2025 — The TRMTracker web application is vulnerable to LDAP injection attack potentially allowing an attacker to inject code into a query and execute remote commands that can read and update data on the website. • https://publisher.hitachienergy.com/preview?DocumentID=8DBD000210&LanguageCode=en&DocumentPartId=&Action=Launch • CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') •
CVSS: 6.4EPSS: 0%CPEs: 2EXPL: 0CVE-2025-27633
https://notcve.org/view.php?id=CVE-2025-27633
25 Mar 2025 — The TRMTracker web application is vulnerable to reflected Cross-site scripting attack. The application allows client-side code injection that might be used to compromise the confidentiality and integrity of the system. • https://publisher.hitachienergy.com/preview?DocumentID=8DBD000210&LanguageCode=en&DocumentPartId=&Action=Launch • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.7EPSS: 0%CPEs: 1EXPL: 0CVE-2025-1445
https://notcve.org/view.php?id=CVE-2025-1445
25 Mar 2025 — A vulnerability exists in RTU IEC 61850 client and server functionality that could impact the availability if renegotiation of an open IEC61850 TLS connection takes place in specific timing situations, when IEC61850 communication is active. Precondition is that IEC61850 as client or server are configured using TLS on RTU500 device. It affects the CMU the IEC61850 stack is configured on. • https://publisher.hitachienergy.com/preview?DocumentId=8DBD000207&languageCode=en&Preview=true • CWE-820: Missing Synchronization •
CVSS: 6.4EPSS: 0%CPEs: 2EXPL: 0CVE-2025-27632
https://notcve.org/view.php?id=CVE-2025-27632
25 Mar 2025 — A Host Header Injection vulnerability in TRMTracker application may allow an attacker by modifying the host header value in an HTTP request to leverage multiple attack vectors, including defacing the site content through web-cache poisoning. • https://publisher.hitachienergy.com/preview?DocumentID=8DBD000210&LanguageCode=en&DocumentPartId=&Action=Launch • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 8.7EPSS: 0%CPEs: 3EXPL: 0CVE-2024-12169
https://notcve.org/view.php?id=CVE-2024-12169
25 Mar 2025 — A vulnerability exists in RTU500 IEC 60870-5-104 controlled station functionality and IEC 61850 functionality, that allows an attacker performing a specific attack sequence to restart the affected CMU. This vulnerability only applies, if secure communication using IEC 62351-3 (TLS) is enabled. • https://publisher.hitachienergy.com/preview?DocumentId=8DBD000207&languageCode=en&Preview=true •
CVSS: 6.9EPSS: 0%CPEs: 2EXPL: 0CVE-2024-11499
https://notcve.org/view.php?id=CVE-2024-11499
25 Mar 2025 — A vulnerability exists in RTU500 IEC 60870-4-104 controlled station functionality, that allows an authenticated and authorized attacker to perform a CMU restart. The vulnerability can be triggered if certificates are updated while in use on active connections. The affected CMU will automatically recover itself if an attacker successfully exploits this vulnerability. • https://publisher.hitachienergy.com/preview?DocumentId=8DBD000207&languageCode=en&Preview=true • CWE-476: NULL Pointer Dereference •
CVSS: 5.9EPSS: 0%CPEs: 9EXPL: 0CVE-2024-10037
https://notcve.org/view.php?id=CVE-2024-10037
25 Mar 2025 — A vulnerability exists in the RTU500 web server component that can cause a denial of service to the RTU500 CMU application if a specially crafted message sequence is executed on a WebSocket connection. An attacker must be properly authenticated and the test mode function of RTU500 must be enabled to exploit this vulnerability. The affected CMU will automatically recover itself if an attacker successfully exploits this vulnerability. A vulnerability exists in the RTU500 web server component that can cause a ... • https://publisher.hitachienergy.com/preview?DocumentId=8DBD000207&languageCode=en&Preview=true • CWE-476: NULL Pointer Dereference •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-9929
https://notcve.org/view.php?id=CVE-2024-9929
26 Nov 2024 — A vulnerability exists in NSD570 that allows any authenticated user to access all device logs disclosing login information with timestamps. A vulnerability exists in NSD570 that allows any authenticated user to access all device logs disclosing login information with timestamps. • https://publisher.hitachienergy.com/preview?DocumentID=8DBD000173&LanguageCode=en&DocumentPartId=&Action=launch • CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-9928
https://notcve.org/view.php?id=CVE-2024-9928
26 Nov 2024 — A vulnerability exists in NSD570 login panel that does not restrict excessive authentication attempts. If exploited, this could cause account takeover and unauthorized access to the system when an attacker conducts brute-force attacks against the equipment login. Note that the system supports only one concurrent session and implements a delay of more than a second between failed login attempts making it difficult to automate the attacks. A vulnerability exists in NSD570 login panel that does not restrict ex... • https://publisher.hitachienergy.com/preview?DocumentID=8DBD000173&LanguageCode=en&DocumentPartId=&Action=launch • CWE-307: Improper Restriction of Excessive Authentication Attempts •
CVSS: 3.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-41156
https://notcve.org/view.php?id=CVE-2024-41156
29 Oct 2024 — Profile files from TRO600 series radios are extracted in plain-text and encrypted file formats. Profile files provide potential attackers valuable configuration information about the Tropos network. Profiles can only be exported by authenticated users with write access. Profile files from TRO600 series radios are extracted in plain-text and encrypted file formats. Profile files provide potential attackers valuable configuration information about the Tropos network. • https://publisher.hitachienergy.com/preview?DocumentID=8DBD000147&LanguageCode=en&DocumentPartId=&Action=launch • CWE-212: Improper Removal of Sensitive Information Before Storage or Transfer •