Hitachi Energy Relion 670/650 and SAM600-IO Series (Update A)

Plan Patch8.7ICS-CERT ICSA-25-182-06Jul 1, 2025

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A denial-of-service vulnerability in Hitachi Energy Relion 670/650 and SAM600-IO series devices allows remote attackers to exhaust system resources and render the device unresponsive through malformed network packets. The affected products include: Relion 670 versions 2.2.2.6 through 2.2.6.2, Relion 650 versions 2.2.4.4 through 2.2.6.2, and SAM600-IO version 2.2.5.6. Successful exploitation causes denial-of-service, disrupting critical protection and control functions until manual device restart.

What this means

What could happen

An attacker could send specially crafted network traffic to cause these protection relays to become unresponsive, disrupting critical grid functions like fault detection and isolation until the device is manually rebooted.

Who's at risk

Electric utilities and power companies that operate Hitachi Energy Relion 670 or 650 protection relays and SAM600-IO I/O modules should prioritize this. These devices are critical for detecting faults and isolating sections of the grid. Any disruption could delay response to faults and risk cascading outages or damage to equipment.

How it could be exploited

An attacker with network access to the device sends malformed packets that trigger an unhandled resource exhaustion condition (CWE-770). The relay processes the packets and becomes unresponsive, requiring a restart to restore functionality.

Prerequisites

Network access to the Relion 670, 650, or SAM600-IO device on port 502 or other management interface
No authentication required

remotely exploitableno authentication requiredlow complexityaffects critical protection/safety functions

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (5)

5 with fix

ProductAffected VersionsFix Status

Relion 670 series≥ 2.2.6.0, ≤ 2.2.6.2; 2.2.5.6; 2.2.4.4; 2.2.3.7; 2.2.2.62.2.4.5 or latest

Relion 650 series≥ 2.2.6.0, ≤ 2.2.6.22.2.6.4 or latest

Relion 650 series2.2.5.62.2.5.8 or latest

Relion 650 series2.2.4.42.2.4.5 or latest

SAM600-IO series2.2.5.62.2.5.8 or latest

Remediation & Mitigation

0/6

Do now

0/1

WORKAROUNDRestrict network access to Relion devices to only necessary management and control paths using firewall rules; block direct internet access

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

Relion 670 series

HOTFIXUpdate Relion 670 series to version 2.2.4.5 or later (if currently on 2.2.4.4 or earlier) or version 2.2.6.4 or later (if on 2.2.6.0–2.2.6.2)

Relion 650 series

HOTFIXUpdate Relion 650 series to version 2.2.4.5 or later (if on 2.2.4.4), 2.2.5.8 or later (if on 2.2.5.6), or 2.2.6.4 or later (if on 2.2.6.0–2.2.6.2)

SAM600-IO series

HOTFIXUpdate SAM600-IO series to version 2.2.5.8 or later (if currently on 2.2.5.6)

Long-term hardening

0/2

HARDENINGIsolate these protection relays on a dedicated OT network segment separate from business networks and internet-connected systems

HARDENINGIf remote access to the relays is required, use a VPN connection to a bastion host rather than exposing the devices directly to untrusted networks

CVEs (1)

CVE-2025-2403

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/ec9f5121-eba1-471d-b47e-5eb94481b0db