top of page
perceptive_background_267k.jpg

Hitachi Energy AFS, AFR and AFF Series

Published:

16 December 2025 at 12:00:00

Alert date:

16 December 2025 at 18:02:03

Source:

cisa.gov

Click to open the original link from this advisory

Critical Infrastructure, Network Infrastructure

Critical vulnerability in RADIUS protocol implementation affecting Hitachi Energy AFS, AFR and AFF Series products. The vulnerability (CVE-2024-3596) allows local attackers to forge RADIUS authentication responses using chosen-prefix collision attacks against MD5 response authenticator signatures. All versions of affected products are vulnerable. CVSS score of 9.0 (Critical) with potential for compromising data integrity and availability. Hitachi Energy has provided mitigation steps by enabling RADIUS server message authenticator option.

Technical details

The RADIUS protocol under RFC 2865 is susceptible to forgery attacks by a local attacker who can modify any valid response (access-accept, access-reject, or access-challenge) to any other response using a chosen-prefix collision attack against the MD5 response authenticator signature. This vulnerability is classified as CWE-924 Improper Enforcement of Message Integrity During Transmission in a Communication Channel. The vulnerability has a CVSS v3.1 score of 9.0 (Critical) with vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H. Successful exploitation could compromise the integrity of the product data and disrupt its availability.

Mitigation steps:

Set the RADIUS configuration to default which enables the RADIUS server message authenticator option. For AFR 677, AFS 650, AFS 655, AFS 670, AFS 675, AFS 677: Use CLI command 'radius server msgauth' or MIB 'hmAgentRadiusServerMsgAuth'. For AFF 660, AFF 665, AFS 660-B/C/S, AFS 665-B/S, AFS 670: Use CLI command 'radius server auth modify msgauth' or MIB 'hm2AgentRadiusServerMsgAuth'. Follow general security practices: minimize network exposure, isolate control systems behind firewalls, use secure remote access methods like VPNs, perform proper impact analysis and risk assessment before deploying defensive measures.

Affected products:

Hitachi Energy AFS 660-B/C/S (all versions)
Hitachi Energy AFS 665-B/S (all versions)
Hitachi Energy AFS 670 v2.0 (all versions)
Hitachi Energy AFS 650 (all versions)
Hitachi Energy AFS 655 (all versions)
Hitachi Energy AFS 670 (all versions)
Hitachi Energy AFS 675 (all versions)
Hitachi Energy AFS 677 (all versions)
Hitachi Energy AFR 677 (all versions)
Hitachi Energy AFF 660 (all versions)
Hitachi Energy AFF 665 (all versions)

Related links:

https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-350-03.json
https://nvd.nist.gov/vuln/detail/CVE-2024-3596
https://cwe.mitre.org/data/definitions/924.html
https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
https://www.cisa.gov/notification
https://www.cisa.gov/privacy-policy

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page