Hitachi Energy Relion 670/650 and SAM600-IO Series (Update C)
MonitorCVSS 6.5ICS-CERT ICSA-25-184-01Jul 3, 2025
Hitachi EnergyEnergy
Attack path
Attack VectorNetwork
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary
An authenticated user with FTP file access privilege on Hitachi Energy Relion 670/650 and SAM600-IO series devices can cause the device to reboot by uploading large files that exhaust disk space. The device's disk space management does not properly prevent or handle this condition. Affected versions: Relion 670/650 versions 2.2.1.0 through 2.2.6.3, SAM600-IO version 2.2.5.0 through 2.2.5.7, and Relion 670 versions 2.0.x and 2.2.2.x and 2.2.3.x (which have no vendor fix). Fixes are available for most 2.2.4, 2.2.5, and 2.2.6 branches.
What this means
What could happen
An authenticated FTP user on a Relion 670/650 or SAM600-IO device can deliberately fill the disk to trigger an unplanned reboot, interrupting power system monitoring, protection, or control functions. If timed during a grid event or routine maintenance, this could degrade situational awareness or delay response.
Who's at risk
Energy sector operators running Hitachi Energy Relion 670 or 650 series protection and control relays, and SAM600-IO series I/O modules. These devices are critical for power system protection, monitoring, and automation. Affected versions include 2.2.6.3 and earlier, 2.2.5.7 and earlier, 2.2.4.5 and earlier, 2.2.1.8 and earlier, as well as all 2.2.2.x and 2.0.x releases with no patch available.
How it could be exploited
An attacker with valid FTP credentials (or who compromised an account with FTP access) connects to the device's FTP service and uploads large files to consume disk space. The device's disk space management does not prevent or handle this properly, causing the device to reboot unexpectedly. This requires the attacker to already have network access to the device and valid credentials.
Prerequisites
- Valid FTP account credentials on the target device
- Network access to the device's FTP service (port 21 or configured alternative)
- File write/upload privilege on the device via FTP
Requires valid FTP credentialsRequires network access to FTP serviceNo patch available for Relion 670 versions 2.2.0, 2.2.2, and 2.2.3 seriesCould trigger unplanned downtime on critical protection relaysLow EPSS score but operational impact is availability
Exploitability
Unlikely to be exploited — EPSS score 0.3%
Affected products (5)
2 with fix3 pending
ProductAffected VersionsFix Status
Relion 670 series≥ 2.2.2.0, ≤ 2.2.2.6No fix yet
Relion 670 seriesvers:2.0/*No fix yet
Relion 670/650 series650/≥ 2.2.6.0, ≤ 2.2.6.3650/≥ 2.2.4.0, ≤ 2.2.4.5650/≥ 2.2.1.0, ≤ 2.2.1.8 and 3 more2.2.1.9 or latest
Relion 670/650 and SAM600-IO series650 and SAM600-IO/≥ 2.2.5.0, ≤ 2.2.5.72.2.5.8 or latest
Relion 670 series≥ 2.2.3.0, ≤ 2.2.3.7No fix yet
Remediation & Mitigation
0/6
Do now
0/1WORKAROUNDRestrict FTP access to the device to trusted engineering and operations staff only; disable FTP service if not required for daily operations
Schedule — requires maintenance window
0/4Patching may require device reboot — plan for process interruption
Relion 670/650 series
HOTFIXUpdate Relion 670/650 series version 2.2.6.x to version 2.2.6.4 or latest, or upgrade to version 2.2.7
HOTFIXUpdate Relion 670/650 series version 2.2.4.x to version 2.2.4.6 or latest, or upgrade to version 2.2.7
HOTFIXUpdate Relion 670/650 series version 2.2.1.x to version 2.2.1.9 or latest, or upgrade to version 2.2.7
Relion 670/650 and SAM600-IO series
HOTFIXUpdate Relion 670/650 and SAM600-IO series version 2.2.5.x to version 2.2.5.8 or latest, or upgrade to version 2.2.7
Long-term hardening
0/1HARDENINGImplement firewall rules to limit network access to the device's FTP service from approved administrative subnets only
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/8cad4f4f-424b-419f-a1a2-5d3500a3ac15Get OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.