Description
A vulnerability exists in REB500 for an authenticated user with Installer role to access and alter the contents of directories that the role is not authorized to do so.
Published: 2026-02-24
Score: 7.4 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized file modification
Action: Assess Impact
AI Analysis

Impact

A vulnerability exists in Hitachi Energy REB500 that allows an authenticated user with the Installer role to access and alter directories outside its scope, resulting in unauthorized modification of configuration files and potential disruption of system operation. The weakness is an Access Control flaw (CWE-267), which enables the installer to read, write, or delete files beyond intended boundaries.

Affected Systems

The affected product is the Hitachi Energy REB500 series. The vulnerability applies to the REB500 firmware in unspecified versions; the advisory does not list specific firmware versions, so any current releases of that hardware and firmware remain vulnerable.

Risk and Exploitability

With a CVSS base score of 7.4 the issue is high, but the EPSS score being under 1% indicates low exploitation probability. Because the bug requires local authenticated Installer credentials, it is not exploitable remotely, but any compromised or privileged account could abuse the flaw. The vulnerability is not listed in the KEV catalog, so no known active exploits are documented.

Generated by OpenCVE AI on April 18, 2026 at 17:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the firmware version on each REB500 device and obtain a security update from Hitachi Energy addressing this issue.
  • If a patch is not available, limit or remove the Installer role and grant only the permissions required for normal operation.
  • Enable detailed auditing of file system changes and regularly review the logs for evidence of unauthorized modifications.

Generated by OpenCVE AI on April 18, 2026 at 17:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Title Installer Role Exploit Allows Unauthorized Directory Access in Hitachi Energy REB500

Sat, 28 Feb 2026 03:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Hitachienergy reb500
Hitachienergy reb500 Firmware
CPEs cpe:2.3:h:hitachienergy:reb500:-:*:*:*:*:*:*:*
cpe:2.3:o:hitachienergy:reb500_firmware:*:*:*:*:*:*:*:*
Vendors & Products Hitachienergy reb500
Hitachienergy reb500 Firmware
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

Wed, 25 Feb 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Hitachienergy
Hitachienergy relion Reb500
Vendors & Products Hitachienergy
Hitachienergy relion Reb500

Tue, 24 Feb 2026 14:00:00 +0000

Type Values Removed Values Added
Description A vulnerability exists in REB500 for an authenticated user with Installer role to access and alter the contents of directories that the role is not authorized to do so.
Weaknesses CWE-267
References
Metrics cvssV4_0

{'score': 7.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Hitachienergy Reb500 Reb500 Firmware Relion Reb500
cve-icon MITRE

Status: PUBLISHED

Assigner: Hitachi Energy

Published:

Updated: 2026-02-28T02:22:21.519Z

Reserved: 2026-02-13T11:08:24.044Z

Link: CVE-2026-2459

cve-icon Vulnrichment

Updated: 2026-02-28T02:22:15.221Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-24T14:16:23.477

Modified: 2026-04-06T13:55:52.863

Link: CVE-2026-2459

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T17:45:06Z

Weaknesses