Full Report
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday published four ICS (industrial control systems) advisories, delivering... The post CISA issues ICS advisories highlighting hardware flaws in Hitachi Energy, Mitsubishi Electric industrial systems appeared first on Industrial Cyber.
Analysis Summary
# Vulnerability: Improper Disk Space Management Leading to Reboot in Hitachi Energy Relion/SAM600 Series
## CVE Details
- CVE ID: CVE-2025-1718
- CVSS Score: 6.5 (CVSS V3.1) / 7.1 (CVSS V4)
- CWE: Improper check for unusual or exceptional conditions
## Affected Systems
- Products: Hitachi Energy Relion 670 Series, Relion 650 Series, SAM600-IO Series
- Versions:
- **Relion 650 Series:** v1.0.0 up to (but not including) 2.0.0; 2.1.0 up to 2.2.0; 2.2.0 up to 2.2.0.13; 2.2.1.0 through 2.2.1.8; 2.2.4.0 through 2.2.4.5; 2.2.5.0 through 2.2.5.7; 2.2.6.0 through 2.2.6.3.
- **Relion 670 Series:** v1.0.0 up to 2.0.0; 2.0.0 up to 2.1.0; 2.1.0 up to 2.2.0; 2.2.0 through 2.2.0.13; 2.2.1.0 through 2.2.1.8; 2.2.2.0 through 2.2.2.6; 2.2.3.0 through 2.2.3.7; 2.2.4.0 through 2.2.4.5; 2.2.5.0 through 2.2.5.7; 2.2.6.0 through 2.2.6.3.
- **SAM600-IO:** 2.2.1.0 through 2.2.1.6; 2.2.5.0 through 2.2.5.7.
- Configurations: Requires an authenticated user with file access privilege via FTP access.
## Vulnerability Description
The vulnerability stems from improper disk space management within the Relion 670/650 and SAM600-IO series devices. A remote, authenticated attacker leveraging file access privileges over FTP can intentionally cause the device to consume disk resources to a point that forces the system to reboot, resulting in a denial of service.
## Exploitation
- Status: Not explicitly stated as exploited in the wild, but technical details are published.
- Complexity: Medium (Requires authentication and FTP file access privileges).
- Attack Vector: Network
## Impact
- Confidentiality: Unknown/Low (Potential for data exposure during subsequent reboots, but primary impact is operational).
- Integrity: Unknown/Low
- Availability: High (Causes device reboot/Denial of Service).
## Remediation
### Patches
- **Relion 670/650 (Versions 2.2.6.x):** Update to version 2.2.6.4 or later (when available).
- **Relion 670/650 & SAM600-IO (Versions 2.2.5.x):** Update to version 2.2.5.8 or later.
- **Relion 670/650 & SAM600-IO (If running specific 2.2.6/2.2.5 versions):** Upgrade to version 2.2.7.
### Workarounds
- Hitachi Energy advises applying general mitigation measures across affected products. (Specific details on these general measures should be sourced from the vendor advisory).
## Detection
- Detection methods are not specified in the summary, but monitoring for anomalous FTP login attempts, large file transfers, or unexpected device reboots should be a focus.
## References
- [CISA Advisory ICSA-25-184-01](https://www.cisa.gov/news-events/ics-advisories/icsa-25-184-01)
---
# Vulnerability: Multiple Flaws in Hitachi Energy MicroSCADA X SYS600 (including File Tampering and Auth Bypass)
Multiple CVEs are summarized below, all affecting Hitachi Energy MicroSCADA X SYS600.
## CVE Details - CVE-2025-39201 (MailSlot Tampering)
- CVE ID: CVE-2025-39201
- CVSS Score: 6.1 (CVSS V3.1) / 6.9 (CVSS V4)
- CWE: Insufficient protection against modification of configuration file outside of specified user interface
## Affected Systems - CVE-2025-39201
- Products: MicroSCADA X SYS600
- Versions: 10.0 through 10.6
- Configurations: Related to the mailslot functionality.
## Vulnerability Description - CVE-2025-39201
A vulnerability exists in the mailslot functionality. A local attacker could tamper with the mailslot configuration file, potentially causing denial of the related mailslot service.
## Exploitation - CVE-2025-39201
- Status: Not specified.
- Complexity: Low (Local attacker).
- Attack Vector: Local
## Impact - CVE-2025-39201
- Availability: High (Denial of mailslot service).
---
## CVE Details - CVE-2025-39202 (Monitor/Supervision File Overwrite)
- CVE ID: CVE-2025-39202
- CVSS Score: 7.3 (CVSS V3.1) / 8.3 (CVSS V4)
- CWE: Incorrect Default Permissions
## Affected Systems - CVE-2025-39202
- Products: MicroSCADA X SYS600
- Versions: 10.0 through 10.6
- Configurations: Local, authenticated, low-privilege users accessing Monitor Pro and Supervision log functionalities.
## Vulnerability Description - CVE-2025-39202
Due to incorrect default permissions in the Monitor Pro and Supervision log, a local, authenticated, low-privilege user can view and overwrite files, leading to information leakage and data corruption.
## Exploitation - CVE-2025-39202
- Status: Not specified.
- Complexity: Low
- Attack Vector: Local
## Impact - CVE-2025-39202
- Confidentiality: High (Information leak).
- Integrity: High (Data corruption/overwrite).
---
## CVE Details - CVE-2025-39203 (Denial of Service via Crafted Message)
- CVE ID: CVE-2025-39203
- CVSS Score: 6.5 (CVSS V3.1) / 8.3 (CVSS V4)
- CWE: Not specified (Related to improper message handling).
## Affected Systems - CVE-2025-39203
- Products: MicroSCADA X SYS600
- Versions: 10.5 through 10.6
- Configurations: Related to receiving messages from an IED or remote system.
## Vulnerability Description - CVE-2025-39203
Crafted message content originating from an IED or a remote system can cause a denial-of-service condition, resulting in a disconnection loop.
## Exploitation - CVE-2025-39203
- Status: Not specified.
- Complexity: Medium
- Attack Vector: Network
## Impact - CVE-2025-39203
- Availability: High (Denial of Service/disconnection loop).
---
## CVE Details - CVE-2025-39204 (Data Query Information Leak)
- CVE ID: CVE-2025-39204
- CVSS Score: 6.5 (CVSS V3.1) / 8.5 (CVSS V4)
- CWE: Improper Neutralization of Special Elements used in an Operation on a File System (Path Traversal/Query Injection Risk)
## Affected Systems - CVE-2025-39204
- Products: MicroSCADA X SYS600
- Versions: 10.0 through 10.6
- Configurations: Related to filtering logic in data queries.
## Vulnerability Description - CVE-2025-39204
The filtering query mechanism in MicroSCADA X SYS600 can be malformed, allowing an attacker to return data that leaks the content of any file on the system.
## Exploitation - CVE-2025-39204
- Status: Not specified.
- Complexity: Medium
- Attack Vector: Network
## Impact - CVE-2025-39204
- Confidentiality: High (File content leak).
---
## CVE Details - CVE-2025-39205 (Improper Certificate Validation)
- CVE ID: CVE-2025-39205
- CVSS Score: 6.5 (CVSS V3.1) / 8.3 (CVSS V4)
- CWE: Improper Certificate Validation
## Affected Systems - CVE-2025-39205
- Products: MicroSCADA X SYS600
- Versions: 10.3 through 10.6
- Configurations: Related to the TLS protocol and certificate validation system.
## Vulnerability Description - CVE-2025-39205
A vulnerability exists in certificate validation. The TLS protocol grants excessive permissions due to improper certificate validation, potentially allowing remote Man-in-the-Middle (MITM) attacks.
## Exploitation - CVE-2025-39205
- Status: Not specified.
- Complexity: Medium
- Attack Vector: Network
## Impact - CVE-2025-39205
- Confidentiality: Moderate (Allows MITM eavesdropping).
- Integrity: Moderate (Allows MITM modification).
## Remediation (MicroSCADA X SYS600 Flaws)
### Patches
- **CVE-2025-39201, CVE-2025-39202, CVE-2025-39204:** Users running versions 10.0 through 10.6 should update to version **10.7**.
- **CVE-2025-39203:** Users running versions 10.5 through 10.6 should update to version **10.7**.
### Workarounds
- Hitachi Energy has provided workarounds and mitigations, which should be reviewed in the vendor advisory.
## Detection (MicroSCADA X SYS600 Flaws)
- Detection should include monitoring for unexpected file reads/writes related to logs or configuration files, connection loop failures, and unusual TLS negotiation traffic.
## References (MicroSCADA X SYS600 Flaws)
- [CISA Advisory ICSA-25-184-02](https://www.cisa.gov/news-events/ics-advisories/icsa-25-184-02)
---
# Vulnerability: Account Lockout Denial of Service in Mitsubishi Electric MELSEC iQ-F Series
## CVE Details
- CVE ID: CVE-2025-5241
- CVSS Score: 5.3 (CVSS V3) / 6.9 (CVSS V4)
- CWE: Overly Restrictive Account Lockout Mechanism
## Affected Systems
- Products: Mitsubishi Electric MELSEC iQ-F Series PLCs (Extensive list, including FX5U, FX5UC, FX5UJ, and FX5S models—see original article for complete list).
- Versions: Not explicitly detailed, but applies across listed hardware models.
- Configurations: Vulnerable to repeated failed login attempts.
## Vulnerability Description
A denial-of-service (DoS) vulnerability exists in the MELSEC iQ-F series due to an overly restrictive account lockout mechanism. A remote attacker can lock out legitimate users for a period of time by repeatedly attempting to log in with an incorrect password.
## Exploitation
- Status: Not specified.
- Complexity: Medium (Requires repeated network access).
- Attack Vector: Network
## Impact
- Availability: High (Legitimate user lockout/DoS).
## Remediation
### Patches
- Mitsubishi Electric stated there are **no plans to release a fixed version** for this vulnerability.
### Workarounds
- Operate the devices within a Local Area Network (LAN) and block connections from untrusted networks/hosts using firewalls.
- Use a firewall or Virtual Private Network (VPN) if Internet connectivity is required.
- Restrict physical access to the devices and connected LAN.
- Enable the **IP filter function** to block access from untrusted hosts.
## Detection
- Monitor for high volumes of failed login attempts directed at the affected PLC devices.
## References
- Utility report from OPSWAT Unit 515.