Hitachi Energy ITT600 Explorer (CVE-2024-8176, CVE-2025-59375)
Hitachi Energy ITT600 Explorer contains two high-severity vulnerabilities (CVE-2024-8176, CVE-2025-59375) within its libexpat library implementation. These flaws, triggered via crafted IEC61850 messages or documents during server simulation, can lead to uncontrolled recursion and resource exhaustion, resulting in Denial of Service (DoS) or memory corruption.
Authors: CISA, Hitachi Energy PSIRT
Detection / HunterGoogle
What Happened
Hitachi Energy's ITT600 Explorer software has two security flaws that could allow an attacker to crash the system or potentially corrupt its memory. These issues only affect users who are actively using the software's IEC61850 server simulation feature. If exploited, the software could become unresponsive, disrupting testing and operations. Users are strongly advised to update their software to version 2.1 SP6 HF1 or newer to fix these vulnerabilities.
Key Takeaways
- Hitachi Energy ITT600 Explorer is affected by two high-severity vulnerabilities (CVE-2024-8176, CVE-2025-59375) in the libexpat library.
- Exploitation requires the use of the IEC61850 server simulation feature.
- Successful exploitation can lead to Denial of Service (DoS) or potentially memory corruption via uncontrolled recursion or massive memory allocation.
- Users should update to version 2.1 SP6 HF1 or upgrade to version 2.2 when available.
Affected Systems
- Hitachi Energy ITT600 Explorer versions 2.1 SP6 and prior (specifically when IEC61850 server simulation is used)
Vulnerabilities (CVEs)
- CVE-2024-8176
- CVE-2025-59375
Attack Chain
An attacker crafts a malicious IEC61850 message or a small document designed to trigger excessive resource consumption. This payload is submitted to a vulnerable Hitachi Energy ITT600 Explorer instance running the IEC61850 server simulation. The underlying libexpat library processes the payload, leading to uncontrolled recursion (CVE-2024-8176) or massive dynamic memory allocation (CVE-2025-59375). This results in a Denial of Service (DoS) condition or potential memory corruption on the host system.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
No specific detection rules or queries are provided in the advisory.
Detection Engineering Assessment
EDR Visibility: Low — EDR may detect the resulting crash (process termination) of the ITT600 Explorer application, but is unlikely to parse the specific IEC61850 network protocol exploitation. Network Visibility: Medium — Network intrusion detection systems (NIDS) with ICS protocol parsers might be able to identify malformed IEC61850 messages or anomalous libexpat payloads if signatures are developed. Detection Difficulty: Hard — Detecting this requires deep packet inspection of IEC61850 traffic or monitoring for specific memory allocation spikes in the ITT600 process, which is prone to false positives.
Required Log Sources
- Application crash logs
- Network traffic logs (PCAP)
- Performance monitoring logs
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Consider hunting for unexpected process crashes or sudden memory spikes in the ITT600 Explorer application, which may indicate an attempted DoS exploit. | Application event logs, Performance monitoring (PerfMon) | Impact | Medium |
Control Gaps
- Lack of deep packet inspection for IEC61850 protocols
- Missing application-level resource quotas
Key Behavioral Indicators
- Unexpected termination of the ITT600 Explorer process
- Anomalous memory consumption by the ITT600 Explorer process during IEC61850 server simulation
False Positive Assessment
- Low
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting.
- Update Hitachi Energy ITT600 Explorer to version 2.1 SP6 HF1 or newer.
- If patching is not immediately possible, consider disabling the IEC61850 server simulation feature if it is not actively required.
Infrastructure Hardening
- Minimize network exposure for all control system devices and ensure they are not accessible from the internet.
- Locate control system networks and remote devices behind firewalls and isolate them from business networks.
- When remote access is required, enforce the use of secure, updated Virtual Private Networks (VPNs).
User Protection
- Ensure portable computers and removable storage media are scanned for malware before connecting to the control system network.
Security Awareness
- Educate ICS operators on the risks of processing untrusted IEC61850 simulation files or messages.
MITRE ATT&CK Mapping
- T1499.004 - Endpoint Denial of Service: Application or System Exploitation
