Description
RTU500 web interface: An unprivileged user can read user management information. The information cannot be accessed via the RTU500 web user interface but requires further tools like browser development utilities to access them without required privileges.
Published: 2026-02-24
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized read of user management data via the web interface
Action: Apply patch
AI Analysis

Impact

An unprivileged user can read sensitive user management information from the RTU500 web interface when using browser development utilities. The flaw does not expose the data through the normal user interface, but the information is still present and can be accessed by tools that bypass the usual privilege checks. This grants confidentiality exposure of user accounts and configuration details, potentially enabling further exploitation or credential compromise.

Affected Systems

The vulnerability affects Hitachi Energy RTU500 series CMU firmware, specifically the RTU520, RTU530, RTU540, and RTU560 models running firmware versions listed as 13.8.1. The impacted devices share common hardware identifiers and may be deployed in industrial control environments.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, and the EPSS score of less than 1% suggests a low likelihood of exploitation at this time. The flaw is not listed in the CISA Known Exploited Vulnerabilities catalog, which reduces confidence in widespread active use. Exploitation likely requires network access to the RTU500’s web interface, making it a local or network-based attack vector understood to be viable in environments where remote administrators or malicious actors can reach the device via LAN or VPN.

Generated by OpenCVE AI on April 17, 2026 at 15:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the RTU500 firmware to a version that addresses the unauthorized data exposure, if available
  • Limit the RTU500 web interface to trusted networks or require VPN and strong authentication before allowing access
  • If an upgrade is not immediately possible, isolate the device from untrusted networks and monitor traffic for usage of browser development tools or other debugging utilities

Generated by OpenCVE AI on April 17, 2026 at 15:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Title Unauthorized Access to User Management Data via Web Interface

Sat, 28 Feb 2026 03:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Feb 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Hitachienergy rtu520
Hitachienergy rtu520 Firmware
Hitachienergy rtu530
Hitachienergy rtu530 Firmware
Hitachienergy rtu540
Hitachienergy rtu540 Firmware
Hitachienergy rtu560
Hitachienergy rtu560 Firmware
CPEs cpe:2.3:h:hitachienergy:rtu520:-:*:*:*:*:*:*:*
cpe:2.3:h:hitachienergy:rtu530:-:*:*:*:*:*:*:*
cpe:2.3:h:hitachienergy:rtu540:-:*:*:*:*:*:*:*
cpe:2.3:h:hitachienergy:rtu560:-:*:*:*:*:*:*:*
cpe:2.3:o:hitachienergy:rtu520_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:hitachienergy:rtu520_firmware:13.8.1:*:*:*:*:*:*:*
cpe:2.3:o:hitachienergy:rtu530_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:hitachienergy:rtu530_firmware:13.8.1:*:*:*:*:*:*:*
cpe:2.3:o:hitachienergy:rtu540_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:hitachienergy:rtu540_firmware:13.8.1:*:*:*:*:*:*:*
cpe:2.3:o:hitachienergy:rtu560_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:hitachienergy:rtu560_firmware:13.8.1:*:*:*:*:*:*:*
Vendors & Products Hitachienergy rtu520
Hitachienergy rtu520 Firmware
Hitachienergy rtu530
Hitachienergy rtu530 Firmware
Hitachienergy rtu540
Hitachienergy rtu540 Firmware
Hitachienergy rtu560
Hitachienergy rtu560 Firmware
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Wed, 25 Feb 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Hitachienergy
Hitachienergy rtu500 Firmware
Vendors & Products Hitachienergy
Hitachienergy rtu500 Firmware

Tue, 24 Feb 2026 14:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-287 CWE-280

Tue, 24 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
Description RTU500 web interface: An unprivileged user can read user management information. The information cannot be accessed via the RTU500 web user interface but requires further tools like browser development utilities to access them without required privileges.
Weaknesses CWE-287
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Hitachienergy Rtu500 Firmware Rtu520 Rtu520 Firmware Rtu530 Rtu530 Firmware Rtu540 Rtu540 Firmware Rtu560 Rtu560 Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: Hitachi Energy

Published:

Updated: 2026-02-28T02:19:01.092Z

Reserved: 2026-02-02T16:28:53.742Z

Link: CVE-2026-1772

cve-icon Vulnrichment

Updated: 2026-02-28T02:18:56.751Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-24T14:16:22.180

Modified: 2026-02-27T18:56:47.210

Link: CVE-2026-1772

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T16:00:11Z

Weaknesses