The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday published four ICS (industrial control systems) advisories, delivering timely information about current security issues, vulnerabilities, and exploits. Hardware vulnerabilities were found in equipment from Hitachi Energy and Mitsubishi Electric deployed across the critical infrastructure sector. The agency encourages users and administrators to review newly released ICS advisories for technical details and mitigations.
CISA disclosed in an advisory that Hitachi Energy Relion 670/650 and SAM600-IO series equipment used in the global energy sector contained an ‘improper check for unusual or exceptional conditions’ vulnerability. “An authenticated user with file access privilege via FTP access can cause the Relion 670/650 and SAM600-IO series device to reboot due to improper disk space management.”
The advisory reports that its Relion 650 products are affected from version 1.0.0 up to, but not including, 2.0.0; from 2.1.0 up to 2.2.0; from 2.2.0 up to 2.2.0.13; from 2.2.1.0 through 2.2.1.8; from 2.2.4.0 through 2.2.4.5; from 2.2.5.0 through 2.2.5.7; and from 2.2.6.0 through 2.2.6.3. Relion 670 products are affected from version 1.0.0 up to 2.0.0; from 2.0.0 up to 2.1.0; from 2.1.0 up to 2.2.0; from 2.2.0 through 2.2.0.13; from 2.2.1.0 through 2.2.1.8; from 2.2.2.0 through 2.2.2.6; from 2.2.3.0 through 2.2.3.7; from 2.2.4.0 through 2.2.4.5; from 2.2.5.0 through 2.2.5.7; and from 2.2.6.0 through 2.2.6.3. For the SAM600-IO product, affected versions include 2.2.1.0 through 2.2.1.6 and 2.2.5.0 through 2.2.5.7.
An authenticated user with file access privilege via FTP access can cause the Relion 670/650 and SAM600-IO series device to reboot due to improper disk space management. CVE-2025-1718 has been assigned to this vulnerability. It carries a CVSS v3.1 base score of 6.5, while its CVSS v4 base score has been calculated at 7.1. Hitachi Energy PSIRT reported this vulnerability to CISA.
Hitachi Energy has outlined specific workarounds and mitigations to help reduce risk. For Relion 670 and 650 series version 2.2.6 up to 2.2.6.3, users should update to version 2.2.6.4 when available or to the latest release. For Relion 670 and 650 series version 2.2.5 up to 2.2.5.7, as well as SAM600-IO version 2.2.5 up to 2.2.5.7, updating to version 2.2.5.8 or later is recommended.
Additionally, affected Relion 670 and 650 series versions 2.2.5 and 2.2.6, along with SAM600-IO version 2.2.5, should be upgraded to version 2.2.7. Hitachi Energy also advises applying general mitigation measures across affected products.
In another advisory, the CISA reported that Hitachi Energy’s MicroSCADA X SYS600 is affected by multiple flaws, including incorrect default permissions, external control of file names or paths, improper validation of integrity check values, exposure of sensitive information through data queries, and improper certificate validation.
The CISA notice added that “successful exploitation of these vulnerabilities could allow an attacker to tamper with the system file, overwrite files, create a denial-of-service condition, or leak file content.”
Hitachi Energy reports that MicroSCADA Pro/X SYS600 versions 10.0 through 10.6 are affected by CVE-2025-39201, CVE-2025-39202, CVE-2025-39204, and CVE-2025-39205. Versions 10.5 through 10.6 are affected by CVE-2025-39203, while versions 10.3 through 10.6 are affected by CVE-2025-39205.
A vulnerability exists in the mailslot functionality of the MicroSCADA X SYS600 product. If exploited, this could allow a local attacker to tamper with the mailslot configuration file, making denial of mailslot a related service. CVE-2025-39201 has been assigned to this vulnerability, with a CVSS v3.1 base score of 6.1 and a CVSS v4 base score of 6.9.
A vulnerability exists in the Monitor Pro and Supervision log of MicroSCADA X SYS600 product. Local, authenticated low-privilege users can see and overwrite files, causing information leak and data corruption. CVE-2025-39202 has been assigned to this vulnerability, carrying a CVSS v3.1 base score of 7.3 and a CVSS v4 base score of 8.3.
Crafted message content from an IED or a remote system can cause a denial-of-service, resulting in a disconnection loop. CVE-2025-39203 has been assigned to this vulnerability, with a CVSS v3.1 base score of 6.5 and a CVSS v4 base score of 8.3.
Filtering query in MicroSCADA X SYS600 can be malformed, so returning data can leak any file content. CVE-2025-39204 has been assigned to this vulnerability, with a CVSS v3.1 base score of 6.5 and a CVSS v4 base score of 8.5.
A vulnerability exists in the MicroSCADA X SYS600 certificate validation system. The TLS protocol was allowing remote Man-in-the-Middle attacks due to giving too many permissions. CVE-2025-39205 has been assigned to this vulnerability, with a CVSS v3.1 base score of 6.5 and a CVSS v4 base score of 8.3.
Hitachi Energy PSIRT reported these vulnerabilities to CISA.
Hitachi Energy has identified specific workarounds and mitigations to reduce risk. For CVE-2025-39201, CVE-2025-39202, and CVE-2025-39204, users of MicroSCADA X SYS600 versions 10.0 through 10.6 should update to version 10.7.
For CVE-2025-39203, MicroSCADA X SYS600 versions 10.5 through 10.6 should also be updated to version 10.7. Similarly, for CVE-2025-39205, users running versions 10.3 through 10.6 should move to version 10.7. Hitachi Energy confirms that MicroSCADA X SYS600 version 10.7 addresses and fixes all five of these vulnerabilities.
In another advisory, CISA revealed that Mitsubishi Electric MELSOFT Update Manager equipment contained Integer Underflow (Wrap or Wraparound) and Protection Mechanism Failure vulnerabilities. The affected versions of Mitsubishi Electric MELSOFT Update Manager include SW1DND-UDM-M from version 1.000A through 1.012N. “Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code, disclose information, alter information, or cause a denial-of-service (DoS) condition.”
Deployed in the critical manufacturing sector, CISA detailed that the Mitsubishi Electric MELSOFT Update Manager is vulnerable to an Integer Underflow vulnerability in 7-zip, included in MELSOFT Update Manager, which could allow a remote attacker to execute arbitrary code by decompressing a specially crafted compressed file. As a result, the attacker may disclose, tamper with information, or cause a denial-of-service (DoS) condition on the product. CVE-2024-11477 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.1 has been calculated.
Mitsubishi Electric MELSOFT Update Manager is vulnerable to a Protection Mechanism Failure vulnerability in 7-zip, included in MELSOFT Update Manager, which could allow an attacker to execute arbitrary code by decompressing a specially crafted compressed file. As a result, the attacker may disclose, tamper with information, or cause a DoS condition on the product. CVE-2025-0411 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated.
Mitsubishi Electric reported these vulnerabilities to CISA.
In another advisory, CISA identified that Mitsubishi Electric Corporation’s MELSEC iQ-F Series contained an overly restrictive account lockout mechanism vulnerability. “Successful exploitation of this vulnerability could result in a denial-of-service condition for legitimate users for a certain period by repeatedly attempting to log in with incorrect passwords. When the product repeatedly receives unauthorized logins from an attacker, legitimate users will be unable to be authenticated until a certain period has passed after the lockout or until the product is reset.”
CISA noted that versions of the Mitsubishi Electric MELSEC iQ-F Series products affected include FX5U-32MT/ES, FX5U-32MT/DS, FX5U-32MT/ESS, FX5U-32MT/DSS, FX5U-32MR/ES, FX5U-32MR/DS, FX5U-64MT/ES, FX5U-64MT/DS, FX5U-64MT/ESS, FX5U-64MT/DSS, FX5U-64MR/ES, FX5U-64MR/DS, FX5U-80MT/ES, FX5U-80MT/DS, FX5U-80MT/ESS, FX5U-80MT/DSS, FX5U-80MR/ES, FX5U-80MR/DS, FX5UC-32MT/D, FX5UC-32MT/DSS, FX5UC-64MT/D, FX5UC-64MT/DSS, FX5UC-96MT/D, FX5UC-96MT/DSS, FX5UC-32MT/DS-TS, FX5UC-32MT/DSS-TS, FX5UC-32MR/DS-TS, FX5UJ-24MT/ES, FX5UJ-24MT/DS, FX5UJ-24MT/ESS, FX5UJ-24MT/DSS, FX5UJ-24MR/ES, FX5UJ-24MR/DS, FX5UJ-40MT/ES, FX5UJ-40MT/DS, FX5UJ-40MT/ESS, FX5UJ-40MT/DSS, FX5UJ-40MR/ES, FX5UJ-40MR/DS, FX5UJ-60MT/ES, FX5UJ-60MT/DS, FX5UJ-60MT/ESS, FX5UJ-60MT/DSS, FX5UJ-60MR/ES, FX5UJ-60MR/DS, FX5UJ-24MT/ES-A, FX5UJ-24MR/ES-A, FX5UJ-40MT/ES-A, FX5UJ-40MR/ES-A, FX5UJ-60MT/ES-A, FX5UJ-60MR/ES-A, FX5S-30MT/ES, FX5S-30MT/DS, FX5S-30MT/ESS, FX5S-30MT/DSS, FX5S-30MR/ES, FX5S-30MR/DS, FX5S-40MT/ES, FX5S-40MT/DS, FX5S-40MT/ESS, FX5S-40MT/DSS, FX5S-40MR/ES, FX5S-40MR/DS, FX5S-60MT/ES, FX5S-60MT/DS, FX5S-60MT/ESS, FX5S-60MT/DSS, FX5S-60MR/ES, FX5S-60MR/DS, FX5S-80MT/ES, FX5S-80MT/ESS, FX5S-80MR/ES, and FX5-CCLGN-MS.
A denial-of-service (DoS) vulnerability exists in the MELSEC iQ-F series due to an overly restrictive account lockout mechanism. A remote attacker could lock out a legitimate user for a certain period of time by repeatedly attempting to log in with an incorrect password. CVE-2025-5241 has been assigned to this vulnerability, with a CVSS v3 base score of 5.3 and a CVSS v4 base score of 6.9.
Thai Do, Minh Pham, Quan Le, and Loc Nguyen of OPSWAT Unit 515 reported this vulnerability to Mitsubishi Electric.
Mitsubishi Electric stated there are no plans to release a fixed version for this vulnerability. To minimize risk, users should implement the following mitigation measures: use a firewall or virtual private network to prevent unauthorized access if Internet connectivity is required; operate the devices within a local area network and block connections from untrusted networks and hosts through firewalls; restrict physical access to both the affected products and the connected LAN; and enable the IP filter function to block access from untrusted hosts.
