Critical Vulnerabilities in Hitachi Energy's ITT600 Explorer: CVE-2024-8176 and CVE-2025-59375
Executive Summary
In May 2026, Hitachi Energy disclosed two critical vulnerabilities in its ITT600 Explorer product, identified as CVE-2024-8176 and CVE-2025-59375. These vulnerabilities stem from issues within the libexpat library used by the product's IEC61850 functionality. CVE-2024-8176 involves a stack overflow due to improper restriction of XML entity expansion depth, potentially leading to denial of service (DoS) or memory corruption. CVE-2025-59375 allows attackers to trigger large dynamic memory allocations via small, crafted XML documents, also resulting in DoS conditions. Both vulnerabilities affect ITT600 Explorer versions prior to 2.1 SP6. (nvd.nist.gov)
The disclosure underscores the critical importance of securing components within industrial control systems, especially those handling XML parsing. Given the widespread use of libexpat across various applications, these vulnerabilities highlight the necessity for organizations to promptly update affected systems to mitigate potential exploitation risks.
Why This Matters Now
The vulnerabilities in Hitachi Energy's ITT600 Explorer highlight the ongoing risks associated with third-party libraries in critical infrastructure. Immediate patching is essential to prevent potential denial of service attacks that could disrupt energy sector operations.
Attack Path Analysis
An attacker exploits vulnerabilities in the ITT600 Explorer's IEC 61850 server simulation to cause a denial-of-service (DoS) condition, leading to system unavailability.
Kill Chain Progression
Initial Compromise
Description
The attacker sends a crafted IEC 61850 message to the ITT600 Explorer's server simulation, exploiting vulnerabilities in the libexpat library.
Related CVEs
CVE-2024-8176
CVSS 7.5A stack overflow vulnerability in the libexpat library used by the IEC61850 functionality in Hitachi Energy ITT600 Explorer versions prior to 2.1 SP6 allows a local attacker to send a crafted IEC61850 message, potentially leading to denial of service or memory corruption.
Affected Products:
Hitachi Energy ITT600 Explorer – < 2.1 SP6
Exploit Status:
no public exploitCVE-2025-59375
CVSS 7.5A vulnerability in the libexpat library used by Hitachi Energy ITT600 Explorer versions 2.1 SP6 and prior allows attackers to trigger large dynamic memory allocations via a small document submitted for parsing, potentially leading to denial of service.
Affected Products:
Hitachi Energy ITT600 Explorer – <= 2.1 SP6
Exploit Status:
no public exploit
MITRE ATT&CK® Techniques
Endpoint Denial of Service
Endpoint Denial of Service: OS Exhaustion Flood
Endpoint Denial of Service: Service Exhaustion Flood
Endpoint Denial of Service: Application Exhaustion Flood
Network Denial of Service
Network Denial of Service: Direct Network Flood
Network Denial of Service: Reflection Amplification
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure all system components and software are protected from known vulnerabilities
Control ID: 6.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Applications and Workloads
Control ID: Pillar 3
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Utilities
Critical exposure through Hitachi Energy ITT600 Explorer vulnerabilities enabling DoS attacks on IEC 61850 testing infrastructure, potentially disrupting power grid operational validation and maintenance activities.
Oil/Energy/Solar/Greentech
High risk from libexpat stack overflow and memory allocation vulnerabilities in energy testing tools, threatening operational technology security and renewable energy system integration testing capabilities.
Industrial Automation
Significant vulnerability impact on IEC 61850 server simulation systems used for industrial control testing, requiring immediate patching to prevent denial of service attacks on automation infrastructure.
Electrical/Electronic Manufacturing
Manufacturing systems utilizing Hitachi Energy testing tools face DoS attack risks through uncontrolled recursion vulnerabilities, potentially disrupting quality assurance and electrical system validation processes.
Sources
- Hitachi Energy ITT600 Explorerhttps://www.cisa.gov/news-events/ics-advisories/icsa-26-155-02Verified
- NVD - CVE-2024-8176https://nvd.nist.gov/vuln/detail/CVE-2024-8176Verified
- NVD - CVE-2025-59375https://nvd.nist.gov/vuln/detail/CVE-2025-59375Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could likely limit the attacker's ability to exploit vulnerabilities in the ITT600 Explorer's IEC 61850 server simulation, thereby reducing the potential for system unavailability.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's ability to exploit the server simulation may be constrained, potentially reducing the likelihood of initial compromise.
Control: Zero Trust Segmentation
Mitigation: While privilege escalation is not involved, Zero Trust Segmentation could limit the attacker's ability to access other resources.
Control: East-West Traffic Security
Mitigation: Although lateral movement is not part of this attack, East-West Traffic Security could limit unauthorized internal communications.
Control: Multicloud Visibility & Control
Mitigation: Even though command and control is not established, Multicloud Visibility & Control could limit unauthorized communications.
Control: Egress Security & Policy Enforcement
Mitigation: While data exfiltration is not involved, Egress Security & Policy Enforcement could limit unauthorized data transfers.
The system's unavailability could be limited, potentially reducing the overall impact of the attack.
Impact at a Glance
Affected Business Functions
- Substation Automation
- System Diagnostics
- Protection and Control Engineering
Estimated downtime: 2 days
Estimated loss: $50,000
n/a
Recommended Actions
Key Takeaways & Next Steps
- • Implement inline intrusion prevention systems (IPS) to detect and block malicious IEC 61850 messages targeting known vulnerabilities.
- • Apply zero trust segmentation to restrict access to critical systems, limiting exposure to potential exploits.
- • Enhance east-west traffic security to monitor and control internal communications, preventing the spread of attacks within the network.
- • Utilize multicloud visibility and control tools to detect anomalous activities and potential threats across cloud environments.
- • Regularly update and patch systems to address known vulnerabilities, reducing the risk of exploitation.
