An authenticated malicious client can send a special LINQ query
to execute arbitrary code remotely (RCE) on the SCM server
from List control, and execute the arbitrary code on the same
system where SCMArchivedEventViewerTool is installed in the
case of SCM Tools.
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Tue, 30 Sep 2025 13:15:00 +0000

Type Values Removed Values Added
First Time appeared Hitachienergy
Hitachienergy modular Advanced Control For Hvdc
CPEs cpe:2.3:a:hitachienergy:modular_advanced_control_for_hvdc:4.0:*:*:*:*:*:*:*
Vendors & Products Hitachienergy
Hitachienergy modular Advanced Control For Hvdc
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 30 Sep 2025 12:45:00 +0000

Type Values Removed Values Added
Description Authenticated List control client can execute the LINQ query in SCM Server to present event as list for operator. An authenticated malicious client can send special LINQ query to execute arbitrary code remotely (RCE) on the SCM Server that an attacker otherwise does not have authorization to do. An authenticated malicious client can send a special LINQ query to execute arbitrary code remotely (RCE) on the SCM server from List control, and execute the arbitrary code on the same system where SCMArchivedEventViewerTool is installed in the case of SCM Tools.
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV3_1

{'score': 7, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: Hitachi Energy

Published:

Updated: 2025-09-30T13:44:45.565Z

Reserved: 2024-03-01T15:56:00.646Z

Link: CVE-2024-2097

cve-icon Vulnrichment

Updated: 2024-08-01T19:03:38.825Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2024-03-27T03:15:12.290

Modified: 2025-09-30T13:15:47.543

Link: CVE-2024-2097

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.