BACK TO NEWS
CERT Advisories

Hitachi Energy SuprOS Vulnerable to Default Credential Exploits

2 min readSource: INCIBE-CERT

INCIBE warns of hardcoded credentials in Hitachi Energy SuprOS, enabling unauthorized access to critical industrial control systems.

Hitachi Energy SuprOS Found with Hardcoded Default Credentials

Madrid, Spain – February 13, 2026 – Spain’s National Cybersecurity Institute (INCIBE) has issued an alert regarding hardcoded default credentials in Hitachi Energy SuprOS, a widely used industrial control system (ICS) platform. The vulnerability exposes critical infrastructure to unauthorized access and potential operational disruption.

Technical Details

The flaw, tracked under CVE-2026-XXXX (pending official assignment), involves static, unchangeable credentials embedded in SuprOS software versions prior to the latest security patch. Attackers with network access could exploit these credentials to gain administrative privileges, bypass authentication, and manipulate industrial processes.

Hitachi Energy SuprOS is deployed in energy, utilities, and manufacturing sectors, often managing supervisory control and data acquisition (SCADA) systems. The use of default credentials is a well-documented security risk, yet it remains a persistent issue in operational technology (OT) environments.

Impact Analysis

Successful exploitation could lead to:

  • Unauthorized control of industrial systems
  • Data exfiltration or manipulation of operational parameters
  • Disruption of critical services, including power distribution or water treatment
  • Lateral movement into connected IT/OT networks

The vulnerability is particularly concerning for critical infrastructure operators, where downtime or sabotage could have severe economic and public safety consequences.

Recommendations

INCIBE and Hitachi Energy urge affected organizations to:

  1. Apply the latest SuprOS security patch immediately (contact Hitachi Energy support for guidance).
  2. Isolate SuprOS systems from untrusted networks until remediation is complete.
  3. Monitor for suspicious activity, including failed login attempts or unusual command executions.
  4. Review access controls and enforce least-privilege principles for all ICS accounts.
  5. Conduct a security audit to identify other potential default credential risks in OT environments.

For further details, refer to INCIBE’s official advisory.

This is a developing story. Updates will be provided as more information becomes available.

Share

TwitterLinkedIn