Secheron SEPCOS Control and Protection Relay

Act Now9.9ICS-CERT ICSA-22-174-03Jun 23, 2022

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

Secheron SEPCOS Single Package control and protection relays contain multiple vulnerabilities in the S-Web interface and underlying PLC configuration that allow attackers with authenticated access to escalate privileges to root, upload arbitrary files, execute code, and modify protective function parameters. Affected firmware versions: 1.23.xx (before 1.23.22), 1.24.xx (before 1.24.8), and 1.25.xx (before 1.25.3).

What this means

What could happen

An authenticated attacker could gain root-level control of the SEPCOS relay, allowing them to modify protective settings, stop power system operations, execute arbitrary code, or alter process parameters that could disrupt power delivery or trigger unintended protective actions.

Who's at risk

Operators of electric power systems and manufacturing facilities using Secheron SEPCOS Single Package control and protection relays, particularly those on versions prior to 1.23.22, 1.24.8, or 1.25.3 respectively. This affects critical infrastructure protection systems that manage generator protection, feeder protection, and other power distribution logic.

How it could be exploited

An attacker with network access to the S-Web interface (ports 80/443) and valid credentials could exploit S-Web vulnerabilities to gain initial footholds with PLC-level control, then leverage FTP or SSH misconfigurations to escalate privileges to OS root on the relay device. The attacker could then upload firmware, reset the device, or modify protective relay settings.

Prerequisites

Network access to HTTP/HTTPS ports (80/443) on the SEPCOS relay
Valid S-Web interface credentials (engineering workstation or operator account)
Direct connectivity to the relay or access through compromised internal network device

remotely exploitable via S-Web interfacerequires valid credentials (not zero-auth)low attack complexityaffects power system protective relays (safety-critical)privilege escalation to OS rootallows code execution and firmware modification

Exploitability

Low exploit probability (EPSS 0.5%)

Affected products (3)

3 with fix

ProductAffected VersionsFix Status

SEPCOS Single Package firmware (1.23.xx feature level): All< 1.23.211.25.3 or higher version

SEPCOS Single Package firmware (1.24.xx feature level): All< 1.24.81.25.3 or higher version

SEPCOS Single Package firmware (1.25.xx feature level): All< 1.25.31.25.3 or higher version

Remediation & Mitigation

0/8

Do now

0/3

WORKAROUNDRestrict network access to relay communications—close ports 80 and 443 at the network switch level if not required for engineering or monitoring functions

HARDENINGReview and revoke unnecessary S-Web credentials; limit access to approved engineering workstations only

HARDENINGDisable or restrict SSH and FTP access if not required for relay management; use secure out-of-band management if available

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpdate SEPCOS Single Package firmware to 1.23.22 or higher for feature level 1.23.xx systems

HOTFIXUpdate SEPCOS Single Package firmware to 1.24.8 or higher for feature level 1.24.xx systems

HOTFIXUpdate SEPCOS Single Package firmware to 1.25.3 or higher for feature level 1.25.xx systems

Long-term hardening

0/2

HARDENINGSegment control system network behind firewall; isolate SEPCOS relays from business network and external Internet access

HARDENINGMonitor and audit relay access logs during maintenance windows for unauthorized configuration changes or access attempts

CVEs (7)

CVE-2022-2105 CVE-2022-1667 CVE-2022-2102 CVE-2022-1668 CVE-2022-2103 CVE-2022-2104 CVE-2022-1666

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/40de8655-5fbf-4f10-9d0b-58d23a303972