CISA has republished a Hitachi Energy advisory detailing a critical path traversal vulnerability in the PCM600 configuration tool, a mainstay for protection and control engineers in electric utility substations. The flaw, known as a Zip Slip, can be exploited through maliciously crafted ZIP archives, potentially granting attackers a foothold on the very engineering workstations used to manage grid-critical relays and intelligent electronic devices (IEDs).

Hitachi Energy disclosed the issue on May 5, 2026, and CISA’s amplification signals the seriousness of a vulnerability that sits at the intersection of IT and operational technology (OT). With PCM600 used globally in power generation, transmission, and distribution, an unpatched workstation could become the entry point for a far-reaching cyberattack.

What is Zip Slip and Why It Matters in OT

Zip Slip isn’t a single bug but a class of directory traversal vulnerabilities that arise when applications blindly trust filenames inside a ZIP archive. An attacker crafts an archive containing files whose names include path traversal sequences like ../../, and when the archive is extracted, those files are written outside the intended directory. The result can range from overwriting system files to dropping a malicious executable in a startup folder—all without user interaction beyond opening the ZIP.

In a patched application, extraction routines sanitize filenames by stripping directory separators or rejecting entries that resolve outside the target folder. PCM600, however, in affected versions, fails to perform this validation. That means a seemingly benign project file or firmware package shared among engineers could be weaponized.

The OT context magnifies the risk. Engineering workstations often run older, unpatched operating systems and lack endpoint detection because of rigorous change management and uptime requirements. They also tend to be networked—directly or indirectly—to field devices, so a compromise here could ripple down to relays, remote terminal units (RTUs), and eventually the physical grid.

Affected Versions and Attack Surface

The advisory explicitly calls out “legacy and 3.x versions” of PCM600. While Hitachi Energy hasn’t published a granular version matrix in the public advisory, their internal bulletin and CISA’s re-release make clear that any PCM600 installation not updated to a patched release is at risk. That includes versions 3.1 and earlier, as well as the older PCM600 2.x series that still lingers in many brownfield sites.

The attack surface is deceptively small. A successful exploit requires convincing an engineer to open a malicious ZIP archive with PCM600—perhaps disguised as a firmware update for a protection relay, a configuration backup, or even a third-party IEC 61850 substation configuration file. Once opened, the archive’s internal filenames are processed without proper checks, and the payload is written to an arbitrary location.

Hitachi Energy rated the vulnerability with a CVSS v4 score of 7.3 (High), emphasizing that exploitation is achievable without special privileges but does rely on user interaction. The low attack complexity, however, suggests that a determined adversary could craft reliable exploits for spear-phishing campaigns targeting utility engineers.

CISA’s Stakes in Amplifying the Advisory

CISA’s decision to republish the advisory under its own ICS Advisory banner is a signal to the entire critical infrastructure community. The agency doesn’t re-broadcast every vendor bulletin; it does so when the vulnerability has the potential to affect multiple sectors, when patch adoption is expected to be slow, or when active exploitation is possible.

In the past year, CISA has repeatedly stressed that engineering workstations are the soft underbelly of OT security. Attackers who breach these systems can move laterally into process control networks, manipulate protective relay settings, or disable safety functions. The PCM600 flaw fits squarely into that threat model.

The advisory underscores two hardening measures beyond patching. First, network segmentation: engineering workstations should be isolated from business networks and strictly controlled via jump hosts. Second, awareness training: engineers must treat project files and firmware archives from external sources with the same suspicion they would an email attachment.

Mitigation and Remediation

Hitachi Energy has released updated versions of PCM600 that properly handle ZIP extraction. Users are urged to upgrade to the latest supported version immediately. For legacy installations where an upgrade isn’t feasible due to compatibility with older IEDs, the vendor recommends a workaround: disable automatic extraction of ZIP archives where possible, and manually inspect archive contents before opening them in PCM600.

Additional mitigation strategies include:

  • Deploying application whitelisting on engineering workstations to prevent execution of unauthorized binaries dropped via Zip Slip.
  • Monitoring the file system for unexpected file writes to sensitive directories (e.g., C:\Windows\System32, C:\ProgramData\Microsoft\Windows\Start Menu).
  • Enforcing the principle of least privilege; engineering accounts should not have local administrator rights.
  • Using a YARA rule to scan incoming ZIP files for path traversal patterns before they reach the workstation.

Hitachi Energy also noted that the PCM600 Project Manager component handles ZIP files; administrators can configure the software to open projects from a trusted, read-only location to reduce exposure.

Wider Implications for OT Engineering Software

PCM600 is far from the only OT engineering tool with such a flaw. In recent years, researchers have found similar Zip Slip vulnerabilities in software from Siemens, ABB, and Schneider Electric. The common thread is a codebase that originated in an era when engineers shared files on floppy disks, not over the internet. Modernizing that code while maintaining backward compatibility with thousands of installed IEDs is a formidable challenge.

The advisory serves as a reminder that supply chain trust is critical. A contractor or vendor-provided ZIP file could be the vehicle for a supply chain attack, slipping past perimeter defenses because it’s a “trusted” project file. Utilities must begin treating OT engineering data with the same rigor as IT software binaries—checking digital signatures, running sandboxed analysis, and requiring multi-factor authentication for file transfers.

CISA’s proactive advisory issuance aligns with its recently expanded “Shields Ready” campaign, which encourages asset owners to implement basic cyber hygiene for engineering environments. The PCM600 vulnerability is a textbook example of why.

What Users Should Do Now

  1. Identify affected installations: Conduct a quick sweep using Hitachi Energy’s version detection script or a simple manual check of the PCM600 “About” dialog. Note the full version and build number.
  2. Isolate the workstation: Until patching is complete, restrict network access for any machine running PCM600. If possible, air-gap the workstation and transfer project files via scanned USB media.
  3. Apply the patch: Download the latest PCM600 installer from Hitachi Energy’s customer portal. The updated version resolves the path traversal and adds additional validation checks.
  4. Review access logs: Check recent file activity for anomalous ZIP openings or unexpected file writes coinciding with external correspondence.
  5. Update security policies: Mandate that all project archives received from third parties be inspected by a security tool capable of detecting path traversal filenames before being placed on any OT network.

Hitachi Energy has confirmed that the patch is comprehensive and does not alter the tool’s workflow or compatibility with field devices, minimizing regression risk.

The Curve Ahead

As utilities push toward digital substations under IEC 61850, the reliance on engineering workstations like PCM600 will only deepen. These systems become the crown jewels for threat actors seeking to infiltrate the grid undetected. CISA’s amplification of this advisory is not just about a single bug; it’s a nudge to an entire industry that the security assumptions of yesteryear no longer hold.

Engineers trained to trust the tools of their trade must now view project files with suspicion. The burden falls on vendors like Hitachi Energy to bake in defenses that don’t rely on operator vigilance—and on asset owners to demand secure-by-default architectures when refreshing their OT estates.

For now, the immediate priority is clear: patch PCM600, segment, and monitor. The grid’s reliability may depend on it.