OTPulse
FeedAboutContact

ABB Relion 650 Series OpenSSL Vulnerability (Update A)

Act NowICS-CERT ICSA-14-126-01AFeb 6, 2014
Summary

OpenSSL vulnerability (CWE-119, buffer overflow) in ABB Relion 650 series protective relays. The vulnerability allows remote code execution via crafted TLS handshake packets sent to the relay's management interface. Version 1.3.0 is affected. No vendor patch is available. This vulnerability is actively exploited in the wild (CISA KEV), indicating real-world attack campaigns targeting these devices.

What this means
What could happen
An attacker who gains network access to the Relion 650 series could exploit the OpenSSL vulnerability to execute arbitrary code on the protective relay, potentially disrupting grid protection, altering relay settings, or causing uncontrolled power system events.
Who's at risk
Electric utilities operating ABB Relion 650 series protective relays in transmission or distribution networks. These relays are critical for fault detection and power system protection. Compromise could affect grid stability, protection coordination, and service continuity.
How it could be exploited
An attacker with network access to port 443 (or the management interface) sends a specially crafted TLS handshake packet that exploits the OpenSSL buffer overflow (CWE-119). The vulnerability allows code execution in the relay's context, enabling modification of protection logic or relay settings without authentication.
Prerequisites
  • Network access to the Relion 650 management interface (typically port 443 or 502)
  • No credentials required for exploitation
remotely exploitableno authentication requiredactively exploited (KEV)very high EPSS (94.5%)no patch availableaffects safety/protection systemsbuffer overflow (CWE-119)
Exploitability
Actively exploited — confirmed by CISA KEV
Affected products (1)
ProductAffected VersionsFix Status
650 series: 1.3.01.3.0No fix (EOL)
Remediation & Mitigation
0/4
Do now
0/3
WORKAROUNDImmediately isolate Relion 650 relays from untrusted networks; restrict access to the management interface using firewall rules (whitelist only authorized engineering workstations and SCADA systems)
WORKAROUNDDisable remote access to the relay if not operationally required; use local engineering access only
HARDENINGMonitor for unauthorized access attempts to Relion 650 devices (port scans, TLS connections from unexpected sources)
Mitigations - no patch available
0/1
650 series: 1.3.0 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGContact ABB technical support to assess whether end-of-life options or hardware replacement is feasible, as no patch is available
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/9f9f8b56-e20a-4462-91db-5cdf9ca284fd