Defenders in the Energy sector need to immediately address a high-severity vulnerability identified in Hitachi Energy’s PROMOD V product. Tracked as CVE-2026-10763 (CVSS v3 7.1), this flaw stems from the application’s reliance on insecure HTTP for data transmission rather than encrypted HTTPS.
In the context of Operational Technology (OT) and industrial control systems (ICS), this vulnerability is not merely a compliance gap; it is a critical exposure. It opens the door for Man-in-the-Middle (MitM) attacks, allowing adversaries to intercept sensitive data, steal credentials, hijack sessions, or manipulate operational commands. This advisory, released by CISA (ICSA-26-188-02), highlights the continued prevalence of fundamental transport security weaknesses in critical infrastructure software.
Technical Analysis
- Affected Product: Hitachi Energy PROMOD V
- Affected Versions: PROMOD_V versions <= 1.0.10
- CVE ID: CVE-2026-10763
- CVSS Score: 7.1 (High)
- Critical Sector: Energy
Vulnerability Mechanics: The PROMOD V software transmits sensitive operational and configuration data over the network using cleartext HTTP (TCP port 80 or 8080). By design, HTTP lacks confidentiality and integrity protections.
Attack Chain:
- Interception: An actor with a position on the network (e.g., a compromised switch, a malicious insider, or an adjacent subnet hop) can use packet capture tools (like Wireshark or tcpdump) to read traffic destined for or originating from the PROMOD V application.
- Credential Theft: If the application transmits session tokens or authentication credentials in the headers or body, the attacker extracts them in plaintext.
- Session Hijacking: The attacker replays the stolen session cookie or token to gain unauthorized access to the PROMOD V interface.
- Data Manipulation: In an active MitM scenario (e.g., ARP spoofing), the attacker can modify the data in transit before it reaches the server or client, potentially altering grid settings or operational parameters.
Exploitation Status: While specific in-the-wild exploitation campaigns have not been detailed in the advisory, the low complexity of execution makes this a high-value target for initial access brokers or sophisticated threat actors targeting energy grids.
Detection & Response
Detecting this vulnerability requires identifying the use of insecure HTTP protocols by the specific application or verifying the running version against the vulnerable list.
SIGMA Rules
The following rules detect the execution of the PROMOD V application and its usage of insecure HTTP ports.
---
title: Hitachi Energy PROMOD V Process Execution
id: 9a8b7c6d-5e4f-3a2b-1c0d-9e8f7a6b5c4d
status: experimental
description: Detects execution of Hitachi Energy PROMOD V processes to identify potentially vulnerable hosts.
references:
- https://www.cisa.gov/news-events/ics-advisories/icsa-26-188-02
author: Security Arsenal
date: 2026/04/06
tags:
- attack.initial_access
- attack.t1190
logsource:
category: process_creation
product: windows
detection:
selection:
Image|contains:
- 'Promod'
Company|contains:
- 'Hitachi Energy'
condition: selection
falsepositives:
- Legitimate administrative use of the software
level: low
---
title: PROMOD V Insecure HTTP Usage
id: b0c9d8e7-f6a5-4b3c-2d1e-0f9e8d7c6b5a
status: experimental
description: Detects network connections from PROMOD V processes to insecure HTTP ports (80, 8080), indicating CVE-2026-10763 exposure.
references:
- https://www.cisa.gov/news-events/ics-advisories/icsa-26-188-02
author: Security Arsenal
date: 2026/04/06
tags:
- attack.credential_access
- attack.t1040
logsource:
category: network_connection
product: windows
detection:
selection:
Image|contains:
- 'Promod'
DestinationPort:
- 80
- 8080
Protocol: tcp
condition: selection
falsepositives:
- Legacy configurations requiring non-standard ports
level: high
KQL (Microsoft Sentinel / Defender)
This query hunts for processes with "Promod" in the name initiating connections to standard HTTP ports.
DeviceNetworkEvents
| where InitiatingProcessName contains "Promod"
| where RemotePort in (80, 8080)
| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessCommandLine, RemoteIP, RemotePort, RemoteUrl
| summarize count() by DeviceName, RemoteIP, RemotePort
Velociraptor VQL
This VQL artifact hunts for active network connections associated with PROMOD V processes on Linux or Windows endpoints.
-- Hunt for PROMOD V processes using insecure HTTP ports
SELECT Pid, Name, CommandLine, Exe, Username
FROM pslist()
WHERE Name =~ "Promod"
-- Correlate with network connections
SELECT Net.Pid, Net.RemoteAddress, Net.RemotePort, Net.State
FROM netstat()
WHERE Net.RemotePort IN (80, 8080)
AND Net.Pid IN (SELECT Pid FROM pslist() WHERE Name =~ "Promod")
Remediation Script (PowerShell)
Use this script to scan systems for the presence of vulnerable PROMOD V versions by checking file metadata.
# Script to detect vulnerable Hitachi Energy PROMOD V installations
Write-Host "Scanning for Hitachi Energy PROMOD V (CVE-2026-10763)..." -ForegroundColor Cyan
$potentialPaths = @(
"C:\Program Files\Hitachi Energy\",
"C:\Program Files (x86)\Hitachi Energy\",
"D:\Program Files\Hitachi Energy\"
)
$foundVulnerable = $false
foreach ($path in $potentialPaths) {
if (Test-Path $path) {
Write-Host "Checking path: $path" -ForegroundColor Yellow
$files = Get-ChildItem -Path $path -Recurse -Filter "Promod*.exe" -ErrorAction SilentlyContinue
foreach ($file in $files) {
$versionInfo = $file.VersionInfo
$version = $versionInfo.FileVersion
# Check if version is <= 1.0.10 (Basic string comparison for this example)
# In production, use System.Version object for robust comparison
if ($version -ne $null) {
Write-Host "Found: $($file.FullName)" -NoNewline
Write-Host " Version: $version" -ForegroundColor White
# Logic to determine vulnerability based on advisory
# PROMOD_V/<=1.0.10 is vulnerable
if ([version]$version -le [version]"1.0.10") {
Write-Host "[ALERT] Vulnerable version detected!" -ForegroundColor Red
$foundVulnerable = $true
} else {
Write-Host "[OK] Version appears patched." -ForegroundColor Green
}
}
}
}
}
if (-not $foundVulnerable) {
Write-Host "No vulnerable instances found on standard paths." -ForegroundColor Green
}
Remediation
-
Patch Management:
- Review the official Hitachi Energy Advisory and vendor documentation.
- Update PROMOD V to a version greater than 1.0.10 immediately.
-
Network Segmentation:
- Ensure PROMOD V systems are isolated behind a firewall and strictly segregated from the broader IT network and untrusted zones (like the Internet).
- Block inbound and outbound traffic on ports 80 and 8080 to/from PROMOD V systems unless absolutely necessary for operations. If necessary, force tunneling through an IPSec VPN or strictly controlled jump host.
-
Inspection and Monitoring:
- If immediate patching is not possible, deploy network Taps or SPAN ports to monitor traffic between PROMOD V clients and servers for anomalous or cleartext credential transmission.
- Enable Deep Packet Inspection (DPI) on internal firewalls to detect and alert on HTTP traffic patterns associated with this application.
-
CISA Compliance:
- As this affects Critical Infrastructure, refer to CISA KEV (Known Exploited Vulnerabilities) catalog for specific binding operational directives (BOD) regarding remediation timelines.
Related Resources
Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.