Hitachi Energy PROMOD V Vulnerable to Data Interception via Insecure HTTP
Hitachi Energy's PROMOD V industrial control system software contains a vulnerability that transmits sensitive data over insecure HTTP, potentially exposing it to interception and credential theft.

Hitachi Energy has disclosed a significant vulnerability affecting its PROMOD V product, specifically versions 1.0.10 and prior. The flaw, identified as CVE-2026-10763, stems from a limitation in a third-party component, the Digipede server, which lacks support for HTTPS communication. This reliance on insecure HTTP means that sensitive data transmitted between components can be intercepted by attackers.
The potential impact of this vulnerability is severe. Threat actors could eavesdrop on network traffic to capture sensitive information, including user credentials. This could lead to session hijacking, allowing attackers to impersonate legitimate users, or gain unauthorized access to the PROMOD V system and the industrial processes it manages. The widespread deployment of Hitachi Energy products across the global energy sector underscores the critical nature of this disclosure.
Hitachi Energy has acknowledged the issue and recommends an immediate upgrade to PROMOD V version 1.0.11. Crucially, users must also ensure that HTTPS is enabled on the Digipede server component to properly secure the communication channel. Detailed instructions for this upgrade and configuration are available in the "1.0.11 PROMOD V User Guide," specifically within the section covering Digipede Grid operations.
The Common Vulnerability Scoring System (CVSS) v3.1 assigns a base score of 7.1, categorizing it as HIGH severity. The vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N indicates that the attack is possible over the network, requires low complexity, no privileges, user interaction, impacts the system's confidentiality and integrity, but not availability.
While upgrading to the patched version and enabling HTTPS is the primary remediation, general mitigation factors are also advised. These include minimizing network exposure for all control system devices, ensuring they are not directly accessible from the internet, and segmenting control system networks behind firewalls. Employing secure remote access methods like VPNs, maintaining strong password policies, and regularly scanning portable media for malware are also recommended practices.
CISA has issued an advisory for this vulnerability, urging organizations to implement defensive measures to mitigate exploitation risks. The agency emphasizes the importance of network segmentation and secure remote access, recommending that control system networks be isolated from business networks and that remote access be secured through updated VPN solutions.
This vulnerability highlights a recurring challenge in industrial control systems: the reliance on legacy components or third-party software that may not support modern security protocols like HTTPS. As these systems are increasingly connected, the security of their communication channels becomes paramount to prevent data breaches and operational disruptions.
Hitachi Energy has provided contact information for support through their service organization and website, encouraging users to reach out for assistance with the remediation process. The company also includes a standard legal disclaimer regarding the information provided in the advisory.