Description
PROMOD V is using insecure HTTP communication instead of HTTPS. The vulnerability is due to the lack of HTTPS support from 3rd party Digipede server.
Published: 2026-06-30
Score: 7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

PROMOD V uses plain HTTP to communicate with a third‑party Digipede server, exposing all traffic to eavesdropping, tampering, and impersonation. The flaw originates from the device’s lack of support for HTTPS, so commands and telemetry are sent without encryption or integrity verification. The primary impact is the loss of confidentiality and integrity of data transmitted between the field device and the server, allowing a network attacker to read or modify control messages and operational data.

Affected Systems

The vulnerability affects Hitachi Energy’s PROMOD V product line. No specific firmware or hardware version details are provided, so all installations of PROMOD V that rely on the Digipede server for remote communication are potentially impacted.

Risk and Exploitability

The CVSS base score of 7 indicates a high severity, and because the exploit material relies only on capturing unsecured HTTP traffic, an attacker with network access can readily intercept or inject packets. The EPSS score is not available, so the current likelihood of exploitation is uncertain, but the lack of encryption makes exploitation straightforward once the attacker reaches the communication path. The vulnerability is not listed in CISA’s KEV catalog, suggesting no known public exploits at the time of reporting.

Generated by OpenCVE AI on June 30, 2026 at 10:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Contact Hitachi Energy to enable HTTPS support on the Digipede server and update PROMOD V firmware to use HTTPS for all communications.
  • Reconfigure PROMOD V to point to the HTTPS endpoint once it becomes available, ensuring that all outbound traffic requires TLS encryption.
  • Validate the new configuration by verifying that HTTP traffic no longer appears on network interfaces and that TLS certificates are properly presented and trusted.

Generated by OpenCVE AI on June 30, 2026 at 10:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 30 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 30 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
Title PROMOD V Lacks HTTPS, Leading to Insecure HTTP Traffic

Tue, 30 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
Description PROMOD V is using insecure HTTP communication instead of HTTPS. The vulnerability is due to the lack of HTTPS support from 3rd party Digipede server.
Weaknesses CWE-1428
References
Metrics cvssV4_0

{'score': 7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Hitachi Energy

Published:

Updated: 2026-06-30T13:16:16.774Z

Reserved: 2026-06-03T15:11:32.712Z

Link: CVE-2026-10763

cve-icon Vulnrichment

Updated: 2026-06-30T13:16:10.858Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T10:30:11Z

Weaknesses
  • CWE-1428

    Reliance on HTTP instead of HTTPS