CISA 2026-05-21

Hitachi Energy GMS600

CVE-2022-4304

Machine-generated analysis · WAYSCloud LLM

The advisory states that affected GMS600 versions use a vulnerable OpenSSL component enabling potential plaintext recovery via timing attacks.

Context

The advisory identifies Hitachi Energy GMS600 as the affected product, specifically versions 1.3.0 to 1.3.1. It describes CVE-2022-4304 as a timing-based side channel in OpenSSL's RSA decryption that could allow recovery of a pre-master secret from observed connections. The attacker would need to send a large number of trial messages to exploit the flaw. The advisory notes the product is used in critical manufacturing and deployed worldwide.

Operator considerations

- Check: GMS600 devices for versions between 1.3.0 and 1.3.1
- Patch: Upgrade GMS600 to a version that addresses CVE-2022-4304 or apply vendor-recommended mitigations
- Log: Monitor for unusual volumes of RSA decryption attempts on affected systems

From Cybersecurity and Infrastructure Security Agency ↗

Hitachi Energy is aware of the vulnerability, CVE-2022-4304 in the OSS component OpenSSL, that affects the GMS600 versions that are listed below. An attacker successfully exploiting this vulnerability could send trial messages to the server and record the time taken to process them. After a sufficiently large number of messages the attacker could recover the pre-master secret used for the original connection and thus be able to decrypt the application data sent over that connection. For immediate mitigation /workaround information, please refer to the General Mitigation Factors/Workarounds

The following versions of Hitachi Energy GMS600 are affected:

GMS600 vers:GMS600/>=1.3.0|

Read the full advisory on CISA →