Hitachi Energy AFS, AFR and AFF Series

Act Now9ICS-CERT ICSA-25-350-03Dec 16, 2025

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

RADIUS authentication vulnerability in Hitachi Energy AFS, AFR and AFF series protective relay and automation devices. The vulnerability could allow an attacker to compromise product data integrity and disrupt availability. All versions of affected products are vulnerable with no patch planned. The attack has high complexity.

What this means

What could happen

An attacker could bypass RADIUS authentication controls on protective relays and automation equipment, potentially allowing unauthorized access to modify device configurations or disable critical grid protection functions, impacting power delivery or equipment protection systems.

Who's at risk

Energy sector operators responsible for protective relays and grid automation equipment. Specifically affects Hitachi Energy AFS (660, 665, 670, 675, 677), AFR (677), and AFF (660, 665) series devices used in substations and power plants for equipment protection, control, and automation functions.

How it could be exploited

An attacker with network access to a RADIUS server or the ability to intercept RADIUS traffic to an affected device could exploit the lack of message authenticator validation to forge authentication responses. This would require network connectivity to the device and knowledge of the RADIUS configuration.

Prerequisites

Network access to RADIUS server or RADIUS traffic between server and device
Device configured to use RADIUS authentication
High technical complexity and detailed knowledge of RADIUS protocol implementation

remotely exploitableno patch availableaffects protective relay/safety systemshigh EPSS score (23.8%)

Exploitability

High exploit probability (EPSS 23.8%)

Affected products (11)

11 EOL

ProductAffected VersionsFix Status

AFS 670 v2.0: vers:all/*All versionsNo fix (EOL)

AFF 665: vers:all/*All versionsNo fix (EOL)

AFS 660-B/C/S: vers:all/*All versionsNo fix (EOL)

AFS 665-B/S: vers:all/*All versionsNo fix (EOL)

AFS 650: vers:all/*All versionsNo fix (EOL)

AFS 655: vers:all/*All versionsNo fix (EOL)

AFS 670: vers:all/*All versionsNo fix (EOL)

AFS 675: vers:all/*All versionsNo fix (EOL)

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDEnable RADIUS message authenticator option on all affected devices using vendor-specific commands (For AFS65x, AFS67x, AFR67x: 'radius server msgauth'; For AFS66x, AFS670 v2.0, AFF66x: 'radius server auth modify msgauth')

Mitigations - no patch available

0/3

The following products have reached End of Life with no planned fix: AFS 670 v2.0: vers:all/*, AFF 665: vers:all/*, AFS 660-B/C/S: vers:all/*, AFS 665-B/S: vers:all/*, AFS 650: vers:all/*, AFS 655: vers:all/*, AFS 670: vers:all/*, AFS 675: vers:all/*, AFS 677: vers:all/*, AFR 677: vers:all/*, AFF 660: vers:all/*. Apply the following compensating controls:

HARDENINGSegment protective relay networks behind firewalls, isolating automation devices from business network and internet access

HARDENINGRestrict network access to RADIUS servers and authentication infrastructure to only authorized engineering and management systems

HARDENINGImplement VPN for any required remote access to protective relay management interfaces

CVEs (1)

CVE-2024-3596

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/391e1bcf-6555-42e6-bdce-15384d69cc4c