CISA advisory ICSA-26-155-04 discloses seven CVEs in Hitachi Energy RTU500 series CMU firmware, equipment widely deployed in energy, water, and dam operations. Flaws in embedded libexpat and OpenSSL libraries enable unauthenticated denial-of-service; CVE-2026-25210 reaches CVSS 7.8 with confidentiality and integrity impact. A remediated firmware version (13.8.2) is available; no in-the-wild exploitation is confirmed.