How serious is CVE-2026-2460?

This vulnerability has a CVSS score of 7.6 out of 10, classified as HIGH severity. Proof-of-concept exploit code is publicly available, making this an active threat.

Is there exploit code available for CVE-2026-2460?

Yes, proof-of-concept exploit code for CVE-2026-2460 is publicly available on GitHub and security research platforms. This increases the risk of active exploitation.

Which products are affected by CVE-2026-2460?

CVE-2026-2460 affects hitachienergy reb500 firmware. Check the full CVE details for specific version information.

How do I fix CVE-2026-2460?

To remediate CVE-2026-2460, check for security patches from hitachienergy. Apply all available updates and security patches. If no patch is available, implement recommended workarounds or security controls to mitigate the risk.

CVE-2026-2460

High

|7.6

Exploit Available

Plain English Summary

AI-powered analysis for quick understanding

An attacker with low-level access can exploit a vulnerability in the REB500 firmware to change files and directories they shouldn't be able to modify. This requires the attacker to already have authenticated access to the system, making it a serious risk if such users are compromised.

Technical Description

A vulnerability exists in REB500 for an authenticated user with low-level privileges to access and alter the content of directories by using the DAC protocol that the user is not authorized to do so.

CVSS Vector Analysis

Attack VectorNetwork

Attack ComplexityHigh

Privileges RequiredLow

User InteractionNone

Confidentiality ImpactHigh

Integrity ImpactHigh

Availability ImpactHigh

ScopeChanged

Vector String

CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Exploit Resources

Search for proof-of-concept code and exploit modules

GitHub Search Exploit-DB Nuclei Templates Metasploit Vulners

Official References

NIST NVD

Est. Bounty

$2,263($1K-$5K)

Vendor Response

Grade APatched in 2 days

Quick Information

Published

Feb 24, 2026

about 1 month ago

Last Modified

Feb 26, 2026

about 1 month ago

Vendor

hitachienergy

Product

reb500 firmware

Related Vulnerabilities

CVE-2026-2459High

This vulnerability allows an attacker with an Installer role to access and change files in directories they shouldn't be able to, potentially compromising the system's integrity. However, the attacker must already be authenticated as a user with the Installer role to exploit this weakness.

CVE-2026-1773High

This vulnerability allows an attacker to cause a Denial of Service, making the system unresponsive, by sending invalid data frames if the device is set up for bi-directional communication using the IEC 60870-5-104 protocol. Even though enabling secure communication can reduce the risk, it does not completely fix the issue.

CVE-2026-1772Medium

An attacker can access sensitive user management information from the RTU500 device, even without proper permissions, by using tools like browser development utilities. This information is not directly available through the device's web interface, so the attacker needs to know how to use these additional tools to exploit the vulnerability.

CVE-2023-5769Medium

An attacker could inject malicious scripts into the web interface of the RTU500 series devices, potentially allowing them to steal sensitive information or perform actions on behalf of legitimate users. This vulnerability occurs because the device does not properly filter user input, making it easier for attackers to exploit it if they can access the webserver.