Hitachi Energy AFS65x,AFF66x, AFS67x, and AFR67x Series Products

Act Now9.8ICS-CERT ICSA-23-278-01Oct 5, 2023

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple input validation and integer overflow vulnerabilities in Hitachi Energy AFS65X, AFS66X, AFS67X, and AFR67X series protective relay and automation controllers. CWEs: CWE-682 (Incorrect Calculation), CWE-190 (Integer Overflow), CWE-116 (Improper Encoding or Escaping), CWE-668 (Exposure of Resource to Wrong Sphere). Successful exploitation could compromise availability, integrity, and confidentiality of the targeted devices. Attack requires network access to HTTP/HTTPS or IEC61850-MMS services.

What this means

What could happen

An attacker could remotely execute commands on these protective relay controllers, potentially altering protection settings, disabling alarms, modifying automation logic, or causing devices to trip or fail to operate, directly impacting grid stability and power delivery.

Who's at risk

Electric utilities and renewable energy operators using Hitachi Energy protective relay controllers (AFS65X, AFS66X, AFS67X, AFR67X series) for substation automation and protection. These devices control critical protection logic for power transformers, feeders, and generators. Any organization with these relays in active service should immediately apply mitigations regardless of network topology.

How it could be exploited

An attacker on the network sends a specially crafted input to the HTTP/HTTPS web interface or IEC61850-MMS protocol service. Input validation flaws and integer overflow conditions allow the attacker to overflow buffers or bypass security checks, achieving code execution on the controller without requiring authentication.

Prerequisites

Network access to port 80/443 (HTTP/HTTPS) or port 102 (IEC61850-MMS)
Device must have HTTP/HTTPS or IEC61850-MMS services enabled (default state)
No authentication required

remotely exploitableno authentication requiredlow complexityhigh EPSS score (13.3%)no patch available for most modelsaffects critical infrastructure protection systemsdefault configurations expose vulnerable services

Exploitability

High exploit probability (EPSS 13.3%)

Affected products (8)

8 with fix

ProductAffected VersionsFix Status

AFF66X FW: <= 03.0.02≤ 03.0.0204.x.xx (pending release)

AFS66X-S: vers:all/*All versions7.1.08 (pending release)

AFS660-C: vers:all/*All versions7.1.08 (pending release)

AFS66X-B: vers:all/*All versions7.1.08 (pending release)

AFS670-V20: vers:all/*All versions7.1.08 (pending release)

AFS65X: vers:all/*All versions09.1.08

AFS67X: vers:all/*All versions09.1.08

AFR677: vers:all/*All versions09.1.08

Remediation & Mitigation

0/6

Do now

0/2

WORKAROUNDDisable HTTP/HTTPS server on all affected devices, or restrict access to HTTP/HTTPS to trusted IP addresses only using firewall rules

WORKAROUNDDisable IEC61850-MMS server on all affected devices, or restrict network access to IEC61850-MMS port 102 to trusted engineering workstations only

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HOTFIXFor AFS65X, AFS67X, AFR677: update firmware to version 09.1.08 or later

HOTFIXFor AFF66X: apply update to firmware version 04.x.xx when released by Hitachi Energy

HOTFIXFor AFS66X-S, AFS660-C, AFS66X-B, AFS670-V20: apply update to firmware version 7.1.08 or later when released

Long-term hardening

0/1

HARDENINGImplement network segmentation to isolate protective relay controllers from untrusted networks and require firewall inspection of all HTTP/HTTPS and IEC61850-MMS traffic

CVEs (14)

CVE-2021-45960 CVE-2021-46143 CVE-2022-22822 CVE-2022-22823 CVE-2022-22824 CVE-2022-22825 CVE-2022-22826 CVE-2022-22827 CVE-2022-25314 CVE-2022-25315 CVE-2022-25235 CVE-2022-25236 CVE-2022-23852 CVE-2022-23990

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/1c15a343-a2d2-403b-b782-bcfd0fa2a37e