Hitachi Energy Relion 670, 650, SAM600-IO Series (Update A)

MonitorCVSS 5.9ICS-CERT ICSA-25-160-02Jun 10, 2025

Hitachi EnergyEnergy

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

CVE-2022-4304 is a timing-based vulnerability in OpenSSL affecting Hitachi Energy Relion 670, 650, and SAM600-IO series relays and I/O modules. An attacker on the network can send trial messages and measure processing times to recover the TLS pre-master secret, enabling decryption of previously captured encrypted traffic. This affects communication confidentiality but does not allow direct command injection or denial of service. Versions affected: Relion 670/650 v2.2.0 (no fix available), v2.2.1.0–2.2.1.8, v2.2.2.0–2.2.2.5, v2.2.3.0–2.2.3.6, v2.2.4.0–2.2.4.3, v2.2.5.0–2.2.5.5, and Relion SAM600-IO v2.2.1.0–2.2.1.8 and v2.2.5.0–2.2.5.5.

What this means

What could happen

An attacker could decrypt encrypted communications sent over the network by exploiting a timing vulnerability in OpenSSL, potentially exposing sensitive data transmitted through the Relion relay or I/O module.

Who's at risk

Power utilities and electrical distribution operators using Hitachi Energy Relion 670 or 650 series protection relays, or SAM600-IO series I/O modules for monitoring and controlling generation, transmission, or distribution equipment should review their firmware versions and upgrade if affected.

How it could be exploited

An attacker on the network sends specially crafted messages to the Relion device and measures response times. By analyzing timing patterns across many messages, they can recover the encryption key used for the connection, allowing them to decrypt previously captured traffic containing operational or configuration data.

Prerequisites

Network access to the Relion device
Ability to send messages to the device and measure response times
Knowledge of the TLS connection protocol being used

remotely exploitableaffects encryption of operational datarequires network timing measurements (moderate complexity)

Exploitability

Unlikely to be exploited — EPSS score 0.2%

Public Proof-of-Concept (PoC) on GitHub (1 repository)

Affected products (6)

5 with fix1 pending

ProductAffected VersionsFix Status

Relion 670/650 seriesvers:2.2.0/*No fix yet

Relion 670/650 series650/≥ 2.2.4, ≤ 2.2.4.32.2.4.4 or latest

Relion 670/650/SAM600-IO series650/SAM600-IO/≥ 2.2.1, ≤ 2.2.1.82.2.1.9 or latest

Relion 670/650/SAM600-IO series650/SAM600-IO/≥ 2.2.5, ≤ 2.2.5.52.2.5.6 or latest

Relion 670 series≥ 2.2.2, ≤ 2.2.2.52.2.2.6 or latest

Relion 670 series≥ 2.2.3, ≤ 2.2.3.62.2.3.7 or latest

Remediation & Mitigation

0/7

Do now

0/1

HARDENINGRestrict network access to Relion devices: block inbound connections from untrusted networks using firewall rules, allowing only management traffic from authorized workstations and control center systems

Schedule — requires maintenance window

0/5

Patching may require device reboot — plan for process interruption

Relion 670/650 series

HOTFIXUpdate Relion 670/650 series version 2.2.4.x to version 2.2.4.4 or latest

Relion 670/650/SAM600-IO series

HOTFIXUpdate Relion 670/650/SAM600-IO series version 2.2.1.x to version 2.2.1.9 or latest

HOTFIXUpdate Relion 670/650/SAM600-IO series version 2.2.5.x to version 2.2.5.6 or latest

Relion 670 series

HOTFIXUpdate Relion 670 series version 2.2.2.x to version 2.2.2.6 or latest

HOTFIXUpdate Relion 670 series version 2.2.3.x to version 2.2.3.7 or latest

Long-term hardening

0/1

HARDENINGIsolate Relion 670, 650, and SAM600-IO devices from the corporate business network; keep them on a separate OT network segment with controlled access points

CVEs (1)

CVE-2022-4304

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/81c8b649-4a13-4084-b1c7-3e513e9b5de5

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.