{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1772", "assignerOrgId": "e383dce4-0c27-4495-91c4-0db157728d17", "state": "PUBLISHED", "assignerShortName": "Hitachi Energy", "dateReserved": "2026-02-02T16:28:53.742Z", "datePublished": "2026-02-24T13:03:23.592Z", "dateUpdated": "2026-02-28T02:19:01.092Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "RTU500 series CMU firmware", "vendor": "Hitachi Energy", "versions": [{"lessThanOrEqual": "12.7.7", "status": "affected", "version": "12.7.1", "versionType": "custom"}, {"lessThanOrEqual": "13.5.4", "status": "affected", "version": "13.5.1", "versionType": "custom"}, {"lessThanOrEqual": "13.6.2", "status": "affected", "version": "13.6.1", "versionType": "custom"}, {"lessThanOrEqual": "13.7.7", "status": "affected", "version": "13.7.1", "versionType": "custom"}, {"status": "affected", "version": "13.8.1", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "RTU500 web interface: An unprivileged user can read user management information. The information cannot be accessed via the RTU500 web user interface but requires further tools like browser development utilities to access them without required privileges.<br>"}], "value": "RTU500 web interface: An unprivileged user can read user management information. The information cannot be accessed via the RTU500 web user interface but requires further tools like browser development utilities to access them without required privileges."}], "impacts": [{"capecId": "CAPEC-503", "descriptions": [{"lang": "en", "value": "CAPEC-503 WebView Exposure"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 5.3, "baseSeverity": "MEDIUM", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-280", "description": "CWE-280 Improper Handling of Insufficient Permissions or Privileges", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "e383dce4-0c27-4495-91c4-0db157728d17", "shortName": "Hitachi Energy", "dateUpdated": "2026-02-24T13:38:30.521Z"}, "references": [{"url": "https://publisher.hitachienergy.com/preview?DocumentID=8DBD000237&LanguageCode=en&DocumentPartId=&Action=Launch"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-28T02:18:35.605096Z", "id": "CVE-2026-1772", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-28T02:19:01.092Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1772", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-28T02:18:35.605096Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-28T02:18:56.751Z"}}], "cna": {"source": {"discovery": "UNKNOWN"}, "impacts": [{"capecId": "CAPEC-503", "descriptions": [{"lang": "en", "value": "CAPEC-503 WebView Exposure"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Hitachi Energy", "product": "RTU500 series CMU firmware", "versions": [{"status": "affected", "version": "12.7.1", "versionType": "custom", "lessThanOrEqual": "12.7.7"}, {"status": "affected", "version": "13.5.1", "versionType": "custom", "lessThanOrEqual": "13.5.4"}, {"status": "affected", "version": "13.6.1", "versionType": "custom", "lessThanOrEqual": "13.6.2"}, {"status": "affected", "version": "13.7.1", "versionType": "custom", "lessThanOrEqual": "13.7.7"}, {"status": "affected", "version": "13.8.1", "versionType": "custom"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://publisher.hitachienergy.com/preview?DocumentID=8DBD000237&LanguageCode=en&DocumentPartId=&Action=Launch"}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "RTU500 web interface: An unprivileged user can read user management information. The information cannot be accessed via the RTU500 web user interface but requires further tools like browser development utilities to access them without required privileges.", "supportingMedia": [{"type": "text/html", "value": "RTU500 web interface: An unprivileged user can read user management information. The information cannot be accessed via the RTU500 web user interface but requires further tools like browser development utilities to access them without required privileges.<br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-280", "description": "CWE-280 Improper Handling of Insufficient Permissions or Privileges"}]}], "providerMetadata": {"orgId": "e383dce4-0c27-4495-91c4-0db157728d17", "shortName": "Hitachi Energy", "dateUpdated": "2026-02-24T13:38:30.521Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1772", "state": "PUBLISHED", "dateUpdated": "2026-02-28T02:19:01.092Z", "dateReserved": "2026-02-02T16:28:53.742Z", "assignerOrgId": "e383dce4-0c27-4495-91c4-0db157728d17", "datePublished": "2026-02-24T13:03:23.592Z", "assignerShortName": "Hitachi Energy"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:hitachienergy:rtu520_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "064FFA76-2AD3-425F-B003-4D038C941E7D", "versionEndIncluding": "12.7.7", "versionStartIncluding": "12.7.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:hitachienergy:rtu520_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "AC2DF255-AB45-4CAE-A7BD-0B2A1B5D04D6", "versionEndIncluding": "13.5.4", "versionStartIncluding": "13.5.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:hitachienergy:rtu520_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "CB44D4BF-8F0F-4770-A150-A5469A262A5A", "versionEndIncluding": "13.6.2", "versionStartIncluding": "13.6.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:hitachienergy:rtu520_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "432CB425-58CC-47E2-847D-5E3FD31F8EB3", "versionEndExcluding": "13.7.8", "versionStartIncluding": "13.7.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:hitachienergy:rtu520_firmware:13.8.1:*:*:*:*:*:*:*", "matchCriteriaId": "D034F19D-920A-44DE-A886-6021242FF6E3", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:hitachienergy:rtu520:-:*:*:*:*:*:*:*", "matchCriteriaId": "11AF93AD-200F-47A6-BA2C-F82165AFB50D", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:hitachienergy:rtu530_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "50ECC099-2676-45CE-82DA-4A6943452976", "versionEndIncluding": "12.7.7", "versionStartIncluding": "12.7.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:hitachienergy:rtu530_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "3D5D8077-C84A-4821-9F89-76A0F4664927", "versionEndIncluding": "13.5.4", "versionStartIncluding": "13.5.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:hitachienergy:rtu530_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "89FAF654-7F2C-4918-B074-6CB685E885D8", "versionEndIncluding": "13.6.2", "versionStartIncluding": "13.6.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:hitachienergy:rtu530_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "0561AA77-CE68-4C93-8611-630FB07B507C", "versionEndExcluding": "13.7.8", "versionStartIncluding": "13.7.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:hitachienergy:rtu530_firmware:13.8.1:*:*:*:*:*:*:*", "matchCriteriaId": "45F698BE-5EDF-46DF-8B1E-96AC8894AA64", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:hitachienergy:rtu530:-:*:*:*:*:*:*:*", "matchCriteriaId": "FC6F9377-E6BB-4DEA-9D87-0AF792CBAC57", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:hitachienergy:rtu540_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "FCFA1FB7-1834-4425-9DDB-0C08140DAD4B", "versionEndIncluding": "12.7.7", "versionStartIncluding": "12.7.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:hitachienergy:rtu540_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "B70918C5-85C2-40B8-8681-921942C41561", "versionEndIncluding": "13.5.4", "versionStartIncluding": "13.5.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:hitachienergy:rtu540_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "30F20A11-9ECB-4CC6-88C2-0CC96DFFABE2", "versionEndIncluding": "13.6.2", "versionStartIncluding": "13.6.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:hitachienergy:rtu540_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "199A1127-9B24-46A6-9122-30FD2EF64F32", "versionEndExcluding": "13.7.8", "versionStartIncluding": "13.7.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:hitachienergy:rtu540_firmware:13.8.1:*:*:*:*:*:*:*", "matchCriteriaId": "4D49545F-C765-4579-89C5-01B1EBB45B36", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:hitachienergy:rtu540:-:*:*:*:*:*:*:*", "matchCriteriaId": "6EEFDEF0-883D-402B-9CD4-333A145E3C75", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:hitachienergy:rtu560_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "EF5BF48F-4BDF-4D38-A836-221066FA6234", "versionEndIncluding": "12.7.7", "versionStartIncluding": "12.7.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:hitachienergy:rtu560_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "C75F1BB5-558A-4292-BA2B-E77D811D5E09", "versionEndIncluding": "13.5.4", "versionStartIncluding": "13.5.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:hitachienergy:rtu560_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "4DE20728-0C7A-4388-AA09-AC50C8AD51F9", "versionEndIncluding": "13.6.2", "versionStartIncluding": "13.6.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:hitachienergy:rtu560_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "2CCC0128-9A27-4F4A-B254-C0C31BDCA78B", "versionEndExcluding": "13.7.8", "versionStartIncluding": "13.7.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:hitachienergy:rtu560_firmware:13.8.1:*:*:*:*:*:*:*", "matchCriteriaId": "B9753BCF-0BE9-4B1A-88B4-0B0DE5F623CE", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:hitachienergy:rtu560:-:*:*:*:*:*:*:*", "matchCriteriaId": "495DCBD6-D2D1-4295-81D1-6ACA1B2CA223", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "RTU500 web interface: An unprivileged user can read user management information. The information cannot be accessed via the RTU500 web user interface but requires further tools like browser development utilities to access them without required privileges."}], "id": "CVE-2026-1772", "lastModified": "2026-02-27T18:56:47.210", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cybersecurity@hitachienergy.com", "type": "Secondary"}]}, "published": "2026-02-24T14:16:22.180", "references": [{"source": "cybersecurity@hitachienergy.com", "tags": ["Vendor Advisory"], "url": "https://publisher.hitachienergy.com/preview?DocumentID=8DBD000237&LanguageCode=en&DocumentPartId=&Action=Launch"}], "sourceIdentifier": "cybersecurity@hitachienergy.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-280"}], "source": "cybersecurity@hitachienergy.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[12.7.1,12.7.7]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[13.5.1,13.5.4]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[13.6.1,13.6.2]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[13.7.1,13.7.7]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "13.8.1"}}], "enrichment": {"confidence": 83.0, "confidence_source": "matching", "scores": [{"score": 83.0, "source": "matching"}]}, "original": {"product": "RTU500 series CMU firmware", "source": "cna", "vendor": "Hitachi Energy"}, "product": "rtu500_firmware", "vendor": "hitachienergy"}], "analysis": {"en": {"generated_at": "2026-04-17T15:48:04.345028+00:00", "value": {"mitigation_remediation": ["Upgrade the RTU500 firmware to a version that addresses the unauthorized data exposure, if available", "Limit the RTU500 web interface to trusted networks or require VPN and strong authentication before allowing access", "If an upgrade is not immediately possible, isolate the device from untrusted networks and monitor traffic for usage of browser development tools or other debugging utilities"], "summary": {"action": "Apply patch", "impact": "Unauthorized read of user management data via the web interface"}, "threat_synthesis": {"affected_systems": "The vulnerability affects Hitachi Energy RTU500 series CMU firmware, specifically the RTU520, RTU530, RTU540, and RTU560 models running firmware versions listed as 13.8.1. The impacted devices share common hardware identifiers and may be deployed in industrial control environments.", "description_and_impact": "An unprivileged user can read sensitive user management information from the RTU500 web interface when using browser development utilities. The flaw does not expose the data through the normal user interface, but the information is still present and can be accessed by tools that bypass the usual privilege checks. This grants confidentiality exposure of user accounts and configuration details, potentially enabling further exploitation or credential compromise.", "risk_and_exploitability": "The CVSS score of 5.3 indicates moderate severity, and the EPSS score of less than 1% suggests a low likelihood of exploitation at this time. The flaw is not listed in the CISA Known Exploited Vulnerabilities catalog, which reduces confidence in widespread active use. Exploitation likely requires network access to the RTU500\u2019s web interface, making it a local or network-based attack vector understood to be viable in environments where remote administrators or malicious actors can reach the device via LAN or VPN."}}}}, "created": "2026-02-25T11:39:53.331037+00:00", "title": "Unauthorized Access to User Management Data via Web Interface", "updated": "2026-04-17T16:00:11.361913+00:00", "vendors": ["hitachienergy", "hitachienergy$PRODUCT$rtu500_firmware"]}