Hitachi Energy PCM600 Vulnerable to 'Zip-Slip' Path Traversal Flaw
Hitachi Energy has disclosed a path traversal vulnerability in its PCM600 software caused by an outdated third-party library, potentially allowing attackers to overwrite arbitrary files.

Hitachi Energy has issued an advisory regarding a path traversal vulnerability affecting multiple versions of its PCM600 protection and control intelligent electronic device (IED) management software. The flaw, which carries a CVSS base score of 4.4, stems from the use of an outdated version of the SharpZipLib library within the software, leaving systems susceptible to unauthorized file manipulation CISA.
The vulnerability, identified as CVE-2018-1002208 and commonly known as "Zip-Slip," occurs due to improper limitation of a pathname to a restricted directory. An attacker can exploit this flaw by crafting a malicious Zip archive containing entries with "dot-dot-slash" (../) sequences. When the software extracts these files, the path traversal allows the attacker to write files to arbitrary locations on the system, potentially compromising the integrity of the product CISA.
The affected software includes the PCM600 Legacy versions 2.11 and earlier, as well as the PCM600 3.0 series (including HF1, HF2, and HF3) and the 3.1 series (including SP1, SP2, and SP3). Because the vulnerability is rooted in the third-party SharpZipLib library—specifically versions prior to 1.0 RC1—it impacts any deployment utilizing these older, unpatched components CISA.
The reach of this vulnerability is significant, as PCM600 is used globally within the energy sector to manage critical infrastructure. Hitachi Energy noted that while legacy versions 2.11 and earlier were originally distributed under ABB, some users may still be operating them. ABB has released its own cybersecurity advisory 2NGA002813 regarding the issue, though Hitachi Energy warns that it cannot guarantee the compatibility of ABB’s recommended updates with its own IEDs, such as the Relion 670, 650, SAM600, and PWC600 series CISA.
Currently, there is no direct vendor fix available for all versions, though an update to PCM600 3.1 SP4 is planned. In the interim, Hitachi Energy strongly recommends that users migrate to the 3.x product line, which the company maintains and validates. Users are also advised to consult the Industrial Control Systems Best Practices and ensure that the deployment guidelines in Chapter 4 of the Cyber Security Deployment Guideline (1MRK505410) are strictly followed. Furthermore, operators should verify that no default credentials are in use and implement adequate countermeasures for any known exceptions CISA.
This vulnerability highlights the ongoing risks associated with software supply chain dependencies, where third-party libraries can introduce critical flaws into industrial control systems years after the initial vulnerability is discovered. As organizations continue to manage legacy software in critical environments, maintaining visibility into third-party components remains a primary challenge for security teams CISA.