hitachi-sec-2025-001 : Insecure Loading of Dynamic Link Libraries in USB-CONVERTERCABLE DRIVER and HVAC Energy Savings Program

Last Update: February 14, 2025

1. Overview

Insecure Loading of Dynamic Link Libraries have been discovered in USB-CONVERTERCABLE DRIVER and HVAC Energy Savings Program, which could allow local attackers to potentially disclose information or execute arbitrary code on affected systems. Exploitation of these vulnerabilities requires user interaction, such as opening a malicious file.

CVE-2024-57963: Insecure Loading of DLLs
The flaw in USB-CONVERTERCABLE DRIVER exists.

CVSS:2.0 AV:N/AC:M/Au:N/C:P/I:P/A:P [6.8]
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H [7.3]
CWE-427: Uncontrolled Search Path Element

CVE-2024-57964: Insecure Loading of DLLs
The flaw in HVAC Energy Savings Program exists.

CVSS:2.0 AV:N/AC:M/Au:N/C:P/I:P/A:P [6.8]
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H [7.3]
CWE-427: Uncontrolled Search Path Element

2. Affected Systems

Hitachi Industrial Equipment & Solutions America, LLC. USB-CONVERTERCABLE DRIVER
cpe:2.3:a:hitachi:usb-convertercable-driver--54fb9a36-9a47-57a2-977d-2588be3790f8:*:*:*:*:*:*:*:*
Hitachi Industrial Equipment & Solutions America, LLC. HVAC Energy Saving Program
cpe:2.3:a:hitachi:hvac-energy-savings-program--18751e96-672c-5129-a5fd-459ab65f2caf:*:*:*:*:*:*:*:*

3. Impact

These vulnerabilities allow users to potentially disclose information or to execute arbitrary code on a vulnerable system.

4. Solution

The USB-CONVERTERCABLE DRIVER and HVAC Energy Savings Program has already reached End of Life (EOL) and is not supported anymore. Hitachi recommends that this product be retired.