Hitachi Energy Relion 670/650/SAM600-IO Series (Update C)

Monitor6.5ICS-CERT ICSA-25-133-02May 13, 2025

Attack VectorAdjacent

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A vulnerability in Hitachi Energy Relion 670, 650, and SAM600-IO series devices allows an attacker with network access to cause the device to become unresponsive or cease operating normally. The affected devices include relay series 670 and 650, as well as the SAM600-IO I/O module, across multiple firmware versions (2.0.0.x, 2.1.0.x, 2.2.1.x, 2.2.2.x, 2.2.3.x, 2.2.4.x, and 2.2.5.x). An attacker does not need credentials to exploit this vulnerability.

What this means

What could happen

An attacker with network access to a Relion relay or bay controller could disrupt its operation, potentially causing loss of visibility or control over electrical distribution equipment. This could result in power outages or inability to respond to grid events.

Who's at risk

Electric utilities and energy operators using Hitachi Energy Relion 670 or 650 series protection and control relays, and SAM600-IO I/O modules. These are commonly found in substations and distributed generation facilities. Relion devices provide critical protection, control, and monitoring functions for transformers, feeders, and bus systems.

How it could be exploited

An attacker on the local network (or with network access to the device) sends a crafted message to the Relion device. The device fails to properly validate or handle the message, causing it to stop responding or become unavailable. No authentication is required.

Prerequisites

Network access to the Relion device on the local network segment (AV:A per CVSS vector)
No credentials required (PR:N)
Device must be running an affected firmware version

remotely exploitable from local networkno authentication requiredlow complexity attackaffects critical protection and control devicesmultiple firmware versions affected across product line

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (5)

5 with fix

ProductAffected VersionsFix Status

Relion 670 series≥ 2.0.0.0, ≤ 2.0.0.13; vers:2.2.0/*; ≥ 2.2.2.0, < 2.2.2.6; ≥ 2.2.3.0, < 2.2.3.72.2.3.7

Relion 670/650 series650/≥ 2.1.0.0, ≤ 2.1.0.52.1.0.6

Relion 670/650 series650/≥ 2.2.4.0, < 2.2.4.42.2.4.4

Relion 670/650/SAM600-IO series650/SAM600-IO/≥ 2.2.1.0, ≤ 2.2.1.82.2.1.9

Relion 670/650/SAM600-IO series650/SAM600-IO/≥ 2.2.5.0, < 2.2.5.62.2.5.6

Remediation & Mitigation

0/8

Do now

0/1

WORKAROUNDIf remote access to Relion devices is required, use a VPN with current security patches; monitor VPN access logs

Schedule — requires maintenance window

0/5

Patching may require device reboot — plan for process interruption

Relion 670 series

HOTFIXUpdate Relion 670 series to firmware version 2.2.3.7 or later

All products

HOTFIXUpdate Relion 650 series to firmware version 2.1.0.6 or later

HOTFIXUpdate Relion 650 series to firmware version 2.2.4.4 or later (if running 2.2.4.x)

HOTFIXUpdate Relion 650/SAM600-IO series to firmware version 2.2.1.9 or later (if running 2.2.1.x)

HOTFIXUpdate Relion 650/SAM600-IO series to firmware version 2.2.5.6 or later (if running 2.2.5.x)

Long-term hardening

0/2

HARDENINGImplement network segmentation: place Relion devices and control system networks behind firewalls, isolated from business networks and the internet

HARDENINGRestrict network access to Relion devices to only authorized engineering and control stations; use access control lists at network switches if possible

CVEs (1)

CVE-2023-4518

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/07ee92e4-4518-4723-bf59-541c2daf888c