Hitachi Energy AFS, AFR and AFF Series

Act NowCVSS 9ICS-CERT ICSA-25-350-03Dec 16, 2025

Hitachi EnergyEnergy

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

Hitachi Energy AFS, AFR, and AFF series products contain a RADIUS authentication vulnerability (CWE-924) that could compromise data integrity and disrupt availability. The vulnerability affects all versions of AFS 650, 655, 660-B/C/S, 665-B/S, 670, 670 v2.0, 675, 677; AFR 677; and AFF 660, 665. Exploitation requires high attack complexity and network-level access. No vendor patches are planned for any affected products.

What this means

What could happen

An attacker with network access to the RADIUS authentication mechanism could bypass or compromise authentication, potentially gaining unauthorized control of the protective relay to modify settings, disable protection schemes, or disrupt power grid operations.

Who's at risk

Energy sector organizations operating Hitachi Energy protective relays (AFS, AFR, AFF series) used in power generation, transmission, and distribution equipment. These devices control protection schemes for critical power infrastructure. Any organization using these models in substations, power plants, or distribution networks is affected, as no patches are available from the vendor.

How it could be exploited

An attacker on the network segment containing the AFS/AFR/AFF device must craft malicious RADIUS authentication messages that exploit the missing message authenticator validation. By sending crafted RADIUS responses, the attacker could forge authentication packets to bypass or spoof RADIUS server identity, compromising the integrity of the authentication exchange and potentially gaining unauthorized access to the device's configuration and control interfaces.

Prerequisites

Network access to the RADIUS authentication traffic or the device's RADIUS client interface (typically port 1812/UDP)
Knowledge of the RADIUS protocol and the target network's RADIUS configuration
Ability to intercept or influence RADIUS communication (man-in-the-middle position or direct network path to the device)

No patch available (all versions, all products)Affects safety/critical systems (power grid protection relays)Remotely exploitable over networkHigh EPSS score (23.8%)No vendor fix planned

Exploitability

Likely to be exploited — EPSS score 19.0%

Public Proof-of-Concept (PoC) on GitHub (1 repository)

Affected products (11)

11 EOL

ProductAffected VersionsFix Status

AFS 670 v2.0: vers:all/*All versionsNo fix (EOL)

AFF 665: vers:all/*All versionsNo fix (EOL)

AFS 660-B/C/S: vers:all/*All versionsNo fix (EOL)

AFS 665-B/S: vers:all/*All versionsNo fix (EOL)

AFS 650: vers:all/*All versionsNo fix (EOL)

AFS 655: vers:all/*All versionsNo fix (EOL)

AFS 670: vers:all/*All versionsNo fix (EOL)

AFS 675: vers:all/*All versionsNo fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDEnable RADIUS message authenticator option on all affected devices. For AFS65x, AFS67x, AFR67x: configure 'radius server msgauth' via CLI or set MIB hmAgentRadiusServerMsgAuth. For AFS66x, AFS670 v2.0, AFF66x: configure 'radius server auth modify msgauth' via CLI or set MIB hm2AgentRadiusServerMsgAuth

HARDENINGRestrict network access to the RADIUS authentication interface to only trusted RADIUS servers; implement firewall rules to block RADIUS traffic (port 1812/UDP) from untrusted network segments

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGMonitor RADIUS authentication events and failed authentication attempts on affected devices for signs of exploitation attempts

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: AFS 670 v2.0: vers:all/*, AFF 665: vers:all/*, AFS 660-B/C/S: vers:all/*, AFS 665-B/S: vers:all/*, AFS 650: vers:all/*, AFS 655: vers:all/*, AFS 670: vers:all/*, AFS 675: vers:all/*, AFS 677: vers:all/*, AFR 677: vers:all/*, AFF 660: vers:all/*. Apply the following compensating controls:

HARDENINGIsolate AFS/AFR/AFF devices from the business network and internet. Ensure protective relays are only reachable from secure engineering/operations networks or behind VPN

CVEs (1)

CVE-2024-3596

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/391e1bcf-6555-42e6-bdce-15384d69cc4c

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.