Cyber Posture

CVE-2026-2460

High

Published: 24 February 2026

Published
24 February 2026
Modified
26 February 2026
KEV Added
Patch
CVSS Score 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0002 3.9th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-2460 is a high-severity Privilege Defined With Unsafe Actions (CWE-267) vulnerability in Hitachienergy Reb500 Firmware. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 3.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-3 (Access Enforcement).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-6 Least Privilege good match
prevent

AC-6 enforces the principle of least privilege, directly preventing low-privilege authenticated users from accessing or altering unauthorized directories via the DAC protocol.

AC-3 Access Enforcement good match
prevent

AC-3 requires systems to enforce approved access authorizations, mitigating the vulnerability by blocking unauthorized directory read and write operations beyond a user's privilege level.

AC-2 Account Management good match
prevent

AC-2 manages accounts to assign and review only necessary privileges, reducing the risk of low-privilege accounts enabling privilege escalation to unsafe directory actions.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
Why these techniques?

CVE describes a privilege escalation vulnerability (CWE-267) allowing low-privileged authenticated users to exceed authorized directory access and modification scope.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A vulnerability exists in REB500 for an authenticated user with low-level privileges to access and alter the content of directories by using the DAC protocol that the user is not authorized to do so.

Deeper analysisAI

CVE-2026-2460 is a privilege escalation vulnerability in the REB500 product from Hitachi Energy. It allows an authenticated user with low-level privileges to access and alter directory contents via the DAC protocol beyond their authorized scope. The issue is classified under CWE-267 (Privilege Defined With Unsafe Actions) and carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N), indicating high severity due to network accessibility, low attack complexity, and significant impacts on confidentiality and integrity.

An attacker with low-privilege authenticated access to the REB500 system can exploit this vulnerability remotely over the network without user interaction. Successful exploitation enables unauthorized reading of sensitive data (high confidentiality impact) and modification of directory contents (high integrity impact), potentially leading to data tampering or exposure in industrial control environments where REB500 is deployed.

Mitigation details are available in the Hitachi Energy security advisory at https://publisher.hitachienergy.com/preview?DocumentID=8DBD000217&LanguageCode=en&DocumentPartId=&Action=Launch, published alongside the CVE on 2026-02-24.

Details

CWE(s)
CWE-267

Affected Products

hitachienergy
reb500 firmware
≤ 8.3.3.1

CVEs Like This One

CVE-2026-2459Same product: Hitachienergy Reb500
CVE-2026-29646Shared CWE-267
CVE-2025-23015Shared CWE-267
CVE-2026-0945Shared CWE-267
CVE-2025-41244Shared CWE-267
CVE-2026-23526Shared CWE-267
CVE-2026-27314Shared CWE-267
CVE-2025-14349Shared CWE-267
CVE-2024-55968Shared CWE-267
CVE-2026-1773Same vendor: Hitachienergy

References