CVE-2026-2459

High

Published: 24 February 2026

Published

24 February 2026

Modified

06 April 2026

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

EPSS Score 0.0001 3.2th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-2459 is a high-severity Privilege Defined With Unsafe Actions (CWE-267) vulnerability in Hitachienergy Reb500 Firmware. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 3.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-6 Least Privilege good match

prevent

Least Privilege directly mitigates the vulnerability by ensuring the Installer role is restricted to only authorized directories, preventing unauthorized access and alteration.

AC-3 Access Enforcement good match

prevent

Access Enforcement requires the system to implement mechanisms that block the Installer role from accessing or modifying unauthorized directories.

AC-2 Account Management partial match

prevent

Account Management supports mitigation by properly provisioning and reviewing Installer role privileges to exclude access to restricted directories.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

CVE describes a network-accessible (AV:N) authorization bypass in a product with an Installer role, directly enabling exploitation of a public-facing application (T1190) to achieve unauthorized access/modification via privilege escalation (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A vulnerability exists in REB500 for an authenticated user with Installer role to access and alter the contents of directories that the role is not authorized to do so.

Deeper analysisAI

CVE-2026-2459 is a privilege management vulnerability (CWE-267) in the REB500 product from Hitachi Energy. It enables an authenticated user with the Installer role to access and alter contents of directories that this role is not authorized to reach. The vulnerability carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N) and was published on 2026-02-24.

An attacker requires network access and valid credentials for an Installer role account to exploit this issue, which demands low complexity and no user interaction. Exploitation grants high-impact unauthorized read access to confidential information (C:H) and modification of data integrity (I:H), with no denial-of-service effect (A:N).

Mitigation details are available in the Hitachi Energy advisory at https://publisher.hitachienergy.com/preview?DocumentID=8DBD000217&LanguageCode=en&DocumentPartId=&Action=Launch.