# Hitachi Energy's HiDraw software has a new security flaw.
CISA republished a Hitachi Energy advisory that identifies a heap‑based buffer overflow in the XML parser of MACH HiDraw versions up to 9.22 (CVE‑2026‑7310). An attacker with local access can craft a malicious XML file that corrupts memory, potentially crashing the application or executing arbitrary code. The vendor rates the issue a medium‑severity CVSS 5.5 and offers a patch in version 9.23.
The vulnerability matters because HiDraw is deployed in critical infrastructure sectors such as dams, energy grids, and transportation systems worldwide. A breach could disrupt control‑system availability or tamper with operational data, raising safety and reliability concerns. Operators are urged to apply the 9.23 update promptly and tighten network segmentation, as the advisory stresses that these control systems should not be exposed to the Internet.
In the broader ICS landscape, this follows a string of recent buffer‑overflow bugs in legacy control‑system software, highlighting the lingering risk of outdated components. While Hitachi’s patch is a standard response, the episode underscores the need for continuous hardening and timely upgrades, especially for software that underpins public utilities.
Bottom line: if you run MACH HiDraw version 9.22 or earlier, schedule the 9.23 upgrade, audit your firewall rules, and treat the system as air‑gapped wherever possible.