An authentication bypass vulnerability exists in the FOXMAN-UN/UNEM server / API Gateway component that if exploited allows attackers without any access to interact with the services and the post-authentication attack surface.
The vulnerability (CWE-288, CWE-306) lies in the ability to bypass authentication mechanisms in the server or API Gateway layer. An attacker without any credentials can directly interact with internal system services that normally require authorization. The maximum CVSS score of 10.0 with a network vector (AV:N), no required privileges (PR:N), and no user interaction (UI:N) indicates full remote exploitability.
An attacker can gain unauthorized access to the entire scope of functionality available after authentication, potentially leading to disclosure of sensitive data, modification of configuration, or disruption of the power grid management system.
Patches available from the manufacturer should be applied in accordance with the references (https://publisher.hitachienergy.com/preview?DocumentId=8DBD000201&languageCode=en&Preview=true). Until the fix is implemented, it is recommended to restrict network access to the API Gateway component only to trusted hosts and apply additional access control mechanisms at the firewall level.
Hitachi Energy FOXMAN-UN and UNEM products — versions indicated in the manufacturer's references
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HHitachienergy Foxman Un
APPHitachienergyr15ar15br16ar16bHitachienergy Unem
APPHitachienergyr15ar15br16b
Related vulnerabilities
RCE w serwerze/API Gateway Hitachi Energy FOXMAN-UN/UNEM
A vulnerability exists in the FOXMAN-UN/UNEM server that affects the message queueing mechanism’s certificate...
A heap-based buffer overflow vulnerability exists in the FOXMAN-UN/UNEM that if exploited will generally lead ...
A user/password reuse vulnerability exists in the FOXMAN-UN/UNEM application and server management. If exploit...
The affected products store both public and private key that are used to sign and protect Custom Parameter Se...