Description
A vulnerability exists in REB500 for an authenticated user with low-level privileges to access and alter the content of directories by using the DAC protocol that the user is not authorized to do so.
Published: 2026-02-24
Score: 7.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Directory Access and Modification via DAC Protocol
Action: Apply Patch
AI Analysis

Impact

An authenticated user with low‑level privileges can use the DAC protocol to read and modify directories on Hitachi Energy REB500 devices beyond the authorizations granted to that user. This flaw allows the attacker to compromise data confidentiality and integrity by altering or deleting directory contents without proper authorization.

Affected Systems

The vulnerability affects Hitachi Energy’s Relion REB500 line of devices, specifically the firmware that implements the DAC protocol. No additional version details are listed, so all firmware iterations of the REB500 are presumed vulnerable.

Risk and Exploitability

The CVSS score of 7.6 indicates high severity, while the EPSS score of <1% suggests that the exploitation probability is low. The vulnerability is not yet listed in the CISA KEV catalog, and the attack vector is inferred to be an authenticated local user with basic privileges, who can gain unauthorized directory access by exploiting the DAC protocol implementation.

Generated by OpenCVE AI on April 16, 2026 at 16:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Obtain and install the latest Hitachi Energy firmware update that addresses the DAC protocol access control flaw
  • Restrict DAC protocol permissions for low‑privilege users via device ACL settings
  • Monitor and audit directory access logs for anomalous modifications to detect unauthorized activity

Generated by OpenCVE AI on April 16, 2026 at 16:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Title Insufficient Authorization Allows Low‑Privilege User to Alter Directories via DAC Protocol

Sat, 28 Feb 2026 03:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Hitachienergy reb500
Hitachienergy reb500 Firmware
CPEs cpe:2.3:h:hitachienergy:reb500:-:*:*:*:*:*:*:*
cpe:2.3:o:hitachienergy:reb500_firmware:*:*:*:*:*:*:*:*
Vendors & Products Hitachienergy reb500
Hitachienergy reb500 Firmware
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

Wed, 25 Feb 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Hitachienergy
Hitachienergy relion Reb500
Vendors & Products Hitachienergy
Hitachienergy relion Reb500

Tue, 24 Feb 2026 14:00:00 +0000

Type Values Removed Values Added
Description A vulnerability exists in REB500 for an authenticated user with low-level privileges to access and alter the content of directories by using the DAC protocol that the user is not authorized to do so.
Weaknesses CWE-267
References
Metrics cvssV4_0

{'score': 7.6, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Hitachienergy Reb500 Reb500 Firmware Relion Reb500
cve-icon MITRE

Status: PUBLISHED

Assigner: Hitachi Energy

Published:

Updated: 2026-02-28T02:23:18.377Z

Reserved: 2026-02-13T11:08:27.300Z

Link: CVE-2026-2460

cve-icon Vulnrichment

Updated: 2026-02-28T02:23:13.406Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-24T14:16:23.647

Modified: 2026-02-26T18:04:30.317

Link: CVE-2026-2460

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T16:30:15Z

Weaknesses