A heap-based buffer overflow vulnerability exists in XML parser functionality in the HiDraw

CVE-2026-7310 is a heap-based buffer overflow in the XML parsing functionality of Hitachi Energy MACH HiDraw. Publicly indexed enrichment for the CVE shows the affected range as HiDraw 9.0 through versions before 9.22, and the attacker path requires a local authenticated user plus a specially crafted XML file that gets opened or imported by HiDraw. The technical upside for an attacker is classic memory-corruption territory: crash, memory corruption, and possible code execution in the context of the engineering workstation user.

In real enterprise conditions this is not a top-tier emergency. The decisive friction is attacker position: this starts *after* the attacker already has access to a niche Windows engineering workstation or can reliably get an engineer to process a malicious project file. That sharply narrows the exposed population, lines up with the very low EPSS, and keeps the practical risk in MEDIUM even though memory corruption always sounds scarier on paper.

Why this verdict

• Requires local authenticated access: this is not unauthenticated remote code execution; the attacker is already on the box or piggybacking a logged-in engineer session.
• Requires user-assisted file parsing: the malicious XML still has to be opened/imported in HiDraw, so there is a workflow gate that modern controls and human process can interrupt.
• Narrow deployment population: MACH HiDraw is a specialized ICS engineering application, which dramatically reduces the number of exposed endpoints compared with mainstream enterprise software.
• Low threat evidence: EPSS is extremely low, KEV is negative, and no public PoC or active exploitation evidence was found.

Why not higher?

If this were a remotely reachable service or a broadly deployed server component, the memory-corruption angle would justify a much more aggressive score. But the real path is constrained by local authenticated access, user interaction, and a small install base, so the headline technical impact overstates enterprise-wide urgency.

Why not lower?

It is still a real memory-safety bug in an ICS engineering context, and successful exploitation may yield code execution in a trusted workstation used for control-system engineering. That combination keeps it above backlog-only hygiene: even niche engineering endpoints can have outsized operational value.

1. Block untrusted project-file ingestion — Restrict HiDraw XML/project imports to vetted repositories, signed project bundles, or approved transfer paths. For a MEDIUM verdict there is no mitigation SLA, but this is the most effective immediate reduction while you work toward the patch inside the 365-day remediation window.
2. Tighten workstation application control — Use AppLocker, WDAC, or equivalent to prevent HiDraw-launched child processes and to restrict execution from user-writeable directories. This helps contain a successful parser exploit on Windows engineering workstations; for MEDIUM, there is no mitigation SLA, so apply as part of normal hardening rather than emergency change.
3. Harden access to engineering workstations — Enforce least privilege, restrict interactive logon, and require MFA or jump-host access where feasible so attackers cannot easily satisfy the local authenticated prerequisite. This matters more than perimeter scanning because the exploit path begins *after* workstation access is obtained.
4. Monitor HiDraw opening XML from risky paths — Alert on HiDraw reading XML from email cache, downloads, temp folders, removable media, or ad hoc SMB shares. That gives defenders a practical tripwire for exploit delivery attempts on the exact workflow this CVE depends on.

Run this on the target Windows workstation where MACH HiDraw may be installed. Invoke from an elevated PowerShell prompt with powershell -ExecutionPolicy Bypass -File .\check-hidraw-cve-2026-7310.ps1; local admin helps for full registry and file-system coverage, but standard user often works. The script checks uninstall entries and common file locations, then prints VULNERABLE, PATCHED, or UNKNOWN.

# check-hidraw-cve-2026-7310.ps1

# Detect probable exposure to CVE-2026-7310 on Windows hosts running Hitachi Energy MACH HiDraw.

# Logic: versions >= 9.0 and < 9.22 are treated as VULNERABLE based on public enrichment.

# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN


$ErrorActionPreference = 'SilentlyContinue'

function Parse-Version($s) {
    if (-not $s) { return $null }
    $m = [regex]::Match($s, '(\d+(?:\.\d+){0,3})')
    if (-not $m.Success) { return $null }
    try { return [version]$m.Groups[1].Value } catch { return $null }
}

function Test-VulnRange($ver) {
    if ($null -eq $ver) { return $null }
    $lower = [version]'9.0'
    $upper = [version]'9.22'
    if ($ver -ge $lower -and $ver -lt $upper) { return $true }
    if ($ver -ge $upper) { return $false }
    return $false
}

$findings = @()

# 1) Uninstall registry entries

$uninstallRoots = @(
    'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*',
    'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*',
    'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*'
)

foreach ($root in $uninstallRoots) {
    Get-ItemProperty $root | ForEach-Object {
        $name = $_.DisplayName
        if ($name -and ($name -match 'HiDraw' -or $name -match 'MACH')) {
            $ver = Parse-Version $_.DisplayVersion
            $findings += [pscustomobject]@{
                Source = 'Registry'
                Name   = $name
                Path   = $_.PSPath
                RawVer = $_.DisplayVersion
                Ver    = $ver
            }
        }
    }
}

# 2) Common install paths

$paths = @(
    'C:\Program Files\Hitachi Energy',
    'C:\Program Files (x86)\Hitachi Energy',
    'C:\Program Files\ABB',
    'C:\Program Files (x86)\ABB'
)

foreach ($base in $paths) {
    if (Test-Path $base) {
        Get-ChildItem -Path $base -Recurse -Include *.exe -File | ForEach-Object {
            if ($_.Name -match 'HiDraw|MACH') {
                $fv = $_.VersionInfo.ProductVersion
                if (-not $fv) { $fv = $_.VersionInfo.FileVersion }
                $ver = Parse-Version $fv
                $findings += [pscustomobject]@{
                    Source = 'File'
                    Name   = $_.Name
                    Path   = $_.FullName
                    RawVer = $fv
                    Ver    = $ver
                }
            }
        }
    }
}

# Deduplicate by path+version

$findings = $findings | Sort-Object Path, RawVer -Unique

if (-not $findings -or $findings.Count -eq 0) {
    Write-Output 'UNKNOWN - HiDraw/MACH installation not found via registry or common paths.'
    exit 2
}

$vuln = $false
$patched = $false
$unknownVer = $false

foreach ($f in $findings) {
    $state = Test-VulnRange $f.Ver
    if ($null -eq $state) {
        $unknownVer = $true
        Write-Output ("UNKNOWN_CANDIDATE - {0} | {1} | version='{2}'" -f $f.Name, $f.Path, $f.RawVer)
    } elseif ($state) {
        $vuln = $true
        Write-Output ("VULNERABLE_CANDIDATE - {0} | {1} | version='{2}'" -f $f.Name, $f.Path, $f.RawVer)
    } else {
        $patched = $true
        Write-Output ("PATCHED_CANDIDATE - {0} | {1} | version='{2}'" -f $f.Name, $f.Path, $f.RawVer)
    }
}

if ($vuln) {
    Write-Output 'VULNERABLE'
    exit 1
}

if ($patched -and -not $vuln) {
    Write-Output 'PATCHED'
    exit 0
}

Write-Output 'UNKNOWN'
exit 2

Sources

1. NVD CVE-2026-7310 detail
2. Hitachi Energy cybersecurity alerts and notifications
3. Public enrichment for affected MACH HiDraw versions
4. Hitachi Review article describing HiDraw in MACH systems
5. CISA Known Exploited Vulnerabilities catalog
6. FIRST EPSS data and report documentation
7. Tenable CVE record mirroring description and CNA CVSS display