Hitachi Energy Relion 670/650 and SAM600-IO Series (Update A)

Plan PatchCVSS 8.7ICS-CERT ICSA-25-182-06Jul 1, 2025

Hitachi EnergyEnergy

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A resource exhaustion vulnerability (CWE-770) exists in Hitachi Energy Relion 670/650 and SAM600-IO series devices. An attacker can send a specially crafted network message to trigger a denial-of-service condition that makes the device unresponsive, disrupting critical control and protection functions. Affected versions include Relion 670 series 2.2.6.0–2.2.6.2, 2.2.5.6, 2.2.4.4, 2.2.3.7, 2.2.2.6; Relion 650 series 2.2.6.0–2.2.6.2, 2.2.5.6, 2.2.4.4; and SAM600-IO series 2.2.5.6. Vendor patches are available for all affected product lines.

What this means

What could happen

An attacker can trigger a denial-of-service condition on Relion 670/650 or SAM600-IO series devices, causing them to become unresponsive and disrupting critical power grid monitoring, control, and protection functions.

Who's at risk

Energy utilities and power system operators running Hitachi Energy Relion 670/650 series protection relays or SAM600-IO series I/O modules are affected. These devices are critical for substation automation, breaker control, and fault protection. Any denial-of-service condition on these devices can blind operators and disable protective functions.

How it could be exploited

An attacker sends a specially crafted network request to the vulnerable device from the internet or connected network. The device processes the request and exhausts system resources (CWE-770 resource exhaustion), becoming unresponsive. No authentication or user interaction is required.

Prerequisites

Network access to the Relion or SAM600-IO device on its management or operational interface port
Device running one of the affected firmware versions (2.2.6.0-2.2.6.2, 2.2.5.6, 2.2.4.4, 2.2.3.7, or 2.2.2.6 depending on model)

remotely exploitableno authentication requiredlow complexityaffects critical protection and control deviceshigh impact on grid stability if chained with other attacks

Exploitability

Unlikely to be exploited — EPSS score 0.4%

Affected products (5)

5 with fix

ProductAffected VersionsFix Status

Relion 670 series≥ 2.2.6.0, ≤ 2.2.6.22.2.5.62.2.4.42.2.3.72.2.2.62.2.4.5 or latest

Relion 650 series≥ 2.2.6.0, ≤ 2.2.6.22.2.6.4 or latest

Relion 650 series2.2.5.62.2.5.8 or latest

Relion 650 series2.2.4.42.2.4.5 or latest

SAM600-IO series2.2.5.62.2.5.8 or latest

Remediation & Mitigation

0/7

Do now

0/1

HARDENINGRestrict network access to Relion and SAM600-IO devices: ensure they are not directly accessible from the internet and are located behind a firewall on an isolated control system network

Schedule — requires maintenance window

0/5

Patching may require device reboot — plan for process interruption

Relion 670 series

HOTFIXUpdate Relion 670 series devices running version 2.2.6.0–2.2.6.2 to version 2.2.6.4 or latest

Relion 650 series

HOTFIXUpdate Relion 650 series devices running version 2.2.6.0–2.2.6.2 to version 2.2.6.4 or latest

SAM600-IO series

HOTFIXUpdate SAM600-IO series devices running version 2.2.5.6 to version 2.2.5.8 or latest

All products

HOTFIXUpdate Relion 670 and 650 series devices running version 2.2.5.6 to version 2.2.5.8 or latest

HOTFIXUpdate Relion 670 and 650 series devices running version 2.2.4.4 to version 2.2.4.5 or latest

Long-term hardening

0/1

HARDENINGIf remote access to Relion or SAM600-IO devices is necessary, require a VPN connection and ensure the VPN software is kept current with the latest patches

CVEs (1)

CVE-2025-2403

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/ec9f5121-eba1-471d-b47e-5eb94481b0db

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.