# Hitachi Energy PCM600 Path Traversal Vulnerability Threatens Critical Infrastructure Environments


## The Threat


Hitachi Energy has disclosed a critical path traversal vulnerability affecting multiple versions of its PCM600 product—a widely deployed power generation and control management platform used across global energy infrastructure. The vulnerability, tracked as CVE-2018-1002208, stems from improper handling of ZIP archive entries and could allow local attackers to write arbitrary files to affected systems, compromising data integrity and system stability.


The vulnerability is a manifestation of the notorious "Zip-Slip" class of attacks, where specially crafted ZIP archives containing path traversal sequences (../) allow attackers to extract files outside their intended directory during decompression. In the context of PCM600—used to monitor and manage power systems worldwide—this capability creates a significant integrity risk. An attacker with local access and user interaction could potentially modify critical configuration files, control parameters, or operational data within the PCM600 environment.


PCM600 is integral to energy sector operations, serving as a communication platform for protection, control, and monitoring of substation equipment and generation facilities. The product integrates with Hitachi Energy's Relion series protection equipment and other industrial control devices. Given this critical role in power system management, any vulnerability affecting data integrity warrants immediate attention from energy operators and system administrators.


## Severity and Impact


| Field | Details |

|-------|---------|

| CVE Identifier | CVE-2018-1002208 |

| CVSS v3.1 Base Score | 4.4 (Medium) |

| Severity Rating | MEDIUM |

| CVSS Vector String | CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N |

| Attack Vector | Local (AV:L) |

| Attack Complexity | High (AC:H) |

| Privileges Required | Low (PR:L) |

| User Interaction | Required (UI:R) |

| Scope | Unchanged (S:U) |

| Confidentiality Impact | None (C:N) |

| Integrity Impact | High (I:H) |

| Availability Impact | None (A:N) |

| Weakness Classification | CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |

| Underlying Root Cause | SharpZipLib library vulnerability before version 1.0 RC1 |


The Medium severity classification reflects the vulnerability's constrained attack conditions: an attacker must have local system access, be able to convince a user to interact with a malicious ZIP file, and successfully trigger the extraction of a crafted archive. However, the High integrity impact score indicates that successful exploitation could result in unauthorized modification of critical system files—a serious concern in industrial control environments where configuration integrity directly affects operational safety and performance.


## Affected Products


The following Hitachi Energy PCM600 versions are confirmed vulnerable:


PCM600 Legacy Series (2.x)

  • PCM600 Legacy version 2.11 and earlier

    • PCM600 3.x Series

  • PCM600 3.0
  • PCM600 3.0 HF1
  • PCM600 3.0 HF2
  • PCM600 3.0 HF3
  • PCM600 3.1
  • PCM600 3.1 SP1
  • PCM600 3.1 SP2
  • PCM600 3.1 SP3

    • Important Note on Legacy Versions: The PCM600 2.x product line was originally distributed under ABB's organization prior to Hitachi Energy's acquisition of the business. While ABB continues to maintain legacy versions, Hitachi Energy now exclusively maintains and distributes the PCM600 3.x product line. Users still operating legacy 2.x versions should note that Hitachi Energy cannot guarantee compatibility of ABB's remediation guidance with other Hitachi Energy products, including Relion 670/650 series, SAM600, and PWC600 devices.


    ## Mitigations


    Immediate Actions


    Organizations operating affected PCM600 versions should implement the following mitigation strategies:


    1. Plan for Upgrade: Hitachi Energy has announced a planned fix targeting PCM600 3.1 SP4. Organizations should contact their Hitachi Energy support representatives to obtain and schedule deployment of this update when available. Users on earlier versions should prioritize migration to maintained versions (3.0 or later).


    2. Review Deployment Security: Ensure that Chapter 4 of the Cyber Security Deployment Guideline (document reference 1MRK505410) has been followed during initial PCM600 deployment. This guideline establishes security baselines for substation protection and control systems.


    3. Credential Management: Audit all configured accounts and remove or change any default credentials. Default credentials significantly increase the risk of local compromise, which is a prerequisite for exploiting this vulnerability.


    4. Implement Network Controls: Apply network segmentation to restrict local access to PCM600 systems. Limit connectivity to authorized administrative networks only. This reduces the attack surface by minimizing the number of systems from which an attacker could launch an exploit.


    5. Access Monitoring: Implement logging and monitoring of ZIP file extraction operations and file write activities on PCM600 systems. Detect and alert on suspicious file creation or modification in system directories.


    6. User Training: Educate system operators and administrators on the risks of extracting untrusted ZIP files and encourage verification of the source and authenticity of any maintenance packages or configuration files received.


    Vendor Fix Timeline


    Hitachi Energy has indicated that PCM600 3.1 SP4, which addresses this vulnerability, is planned for release. Organizations should establish a timeline for testing and deploying this update in their environments. Given the critical nature of PCM600 in energy infrastructure, updates should be coordinated with operational schedules to minimize disruption.


    For legacy PCM600 2.x users, migration to Hitachi Energy-maintained versions (3.x) is strongly recommended. While ABB has published guidance specific to legacy versions (advisory 2NGA002813), Hitachi Energy cannot validate compatibility with other interconnected protection and control devices.


    ## References


  • Hitachi Energy Cybersecurity Advisory: Official disclosure and guidance
  • CISA Vulnerability Notification: Reported by Hitachi Energy to CISA
  • CWE-22 Details: MITRE CWE database entry on path traversal vulnerabilities
  • SharpZipLib Project: Library maintainers have released patches in version 1.0 RC1 and later
  • ABB PCM600 Advisory 2NGA002813: Guidance for legacy 2.x version users
  • Hitachi Energy Industrial Control Systems Best Practices: Comprehensive security deployment guidelines

    • ---


    Actionable Recommendation: Energy organizations should prioritize verifying which PCM600 versions are deployed in their infrastructure, then either schedule upgrades to 3.1 SP4 upon release or implement compensating controls to restrict local access and monitor file integrity. Given the critical nature of power systems, this vulnerability should be addressed within standard change management procedures rather than through emergency patching where operationally feasible.