Hitachi Energy Relion 670/650 and SAM600-IO Series (Update C)

Monitor6.5ICS-CERT ICSA-25-184-01Jul 3, 2025

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

Hitachi Energy Relion 670/650 and SAM600-IO series devices contain an improper disk space management vulnerability. An authenticated user with file access privileges via FTP can cause the device to reboot unexpectedly.

What this means

What could happen

An authenticated user with FTP access could force a reboot of your Relion relay or SAM600-IO module, causing brief service interruption to power distribution or metering systems. Multiple reboots could indicate ongoing attack or operational instability.

Who's at risk

Electric utilities and power distribution operators using Hitachi Energy Relion 670 or 650 series protective relays and SAM600-IO series I/O modules should assess if they run vulnerable firmware versions. These devices are critical for substation protection and SCADA/metering functions. Any affected device should be prioritized for patching or network isolation.

How it could be exploited

An attacker with valid FTP credentials and file access privilege (obtained through credential compromise or insider access) connects to the device's FTP interface and manipulates files in a way that exhausts disk space, triggering an uncontrolled reboot.

Prerequisites

Valid FTP credentials with file access privilege on the target device
Network access to the FTP service (port 21 or configured FTP port)
Ability to write files to the device filesystem

Requires valid authentication (medium barrier to entry)Affects safety and protection relays in power systems (critical function)Low exploit complexity once credentials obtainedNo patch available for 670 v2.0, 2.2.2.x, and 2.2.3.x versions

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (5)

2 with fix3 pending

ProductAffected VersionsFix Status

Relion 670 series≥ 2.2.2.0, ≤ 2.2.2.6No fix yet

Relion 670 seriesvers:2.0/*No fix yet

Relion 670/650 series650/≥ 2.2.6.0, ≤ 2.2.6.3; 650/≥ 2.2.4.0, ≤ 2.2.4.5; 650/≥ 2.2.1.0, ≤ 2.2.1.8 and 3 more2.2.1.9 or latest

Relion 670/650 and SAM600-IO series650 and SAM600-IO/≥ 2.2.5.0, ≤ 2.2.5.72.2.5.8 or latest

Relion 670 series≥ 2.2.3.0, ≤ 2.2.3.7No fix yet

Remediation & Mitigation

0/8

Do now

0/1

WORKAROUNDRestrict FTP access to the device using firewall rules; allow only authorized engineering workstations and block FTP traffic from the business network

Schedule — requires maintenance window

0/4

Patching may require device reboot — plan for process interruption

HOTFIXRelion 670/650 v2.2.6 up to 2.2.6.3: Update to version 2.2.6.4 or latest, or upgrade to version 2.2.7

HOTFIXRelion 670/650 and SAM600-IO v2.2.5 up to 2.2.5.7: Update to version 2.2.5.8 or latest, or upgrade to version 2.2.7

HOTFIXRelion 670/650 v2.2.4 up to 2.2.4.5: Update to version 2.2.4.6 or latest, or upgrade to version 2.2.7

HOTFIXRelion 670/650 v2.2.1 up to 2.2.1.8: Update to version 2.2.1.9 or latest, or upgrade to version 2.2.7

Long-term hardening

0/3

HARDENINGIsolate Relion 670/650 and SAM600-IO devices from the internet and untrusted networks; place devices behind firewalls on a dedicated ICS/OT network segment

HARDENINGEnforce strong, unique FTP credentials for all Relion devices and change default credentials if in use

HARDENINGUse VPN for remote access to Relion devices; ensure VPN is updated to the latest version

CVEs (1)

CVE-2025-1718

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/8cad4f4f-424b-419f-a1a2-5d3500a3ac15