CVE-2025-2403 Overview
A denial-of-service vulnerability exists in Hitachi Energy Relion 670/650 and SAM600-IO series devices due to improper prioritization of network traffic over protection mechanisms. This vulnerability, classified under CWE-770 (Allocation of Resources Without Limits or Throttling), could allow an unauthenticated remote attacker to disrupt critical industrial control system functions, specifically the Line Distance Communication Module (LDCM), by flooding the device with network traffic.
The Relion 670/650 series and SAM600-IO devices are widely deployed in electrical grid protection and substation automation environments, making this vulnerability particularly concerning for critical infrastructure operators.
Critical Impact
Exploitation could cause critical protection relay functions including LDCM to malfunction, potentially impacting electrical grid stability and protection coordination in substation environments.
Affected Products
- Hitachi Energy Relion 670 Series
- Hitachi Energy Relion 650 Series
- Hitachi Energy SAM600-IO Series
Discovery Timeline
- 2025-06-24 - CVE-2025-2403 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-2403
Vulnerability Analysis
This vulnerability stems from improper resource allocation controls within the network traffic handling mechanisms of affected Hitachi Energy devices. The devices fail to adequately prioritize protection-related communications over general network traffic, creating a condition where high volumes of network requests can overwhelm the system's ability to process critical operational functions.
The Line Distance Communication Module (LDCM) is a critical component used in power line protection schemes, enabling communication between protective relays at different ends of transmission lines. When this module malfunctions due to resource exhaustion, it can impact the ability of the protection system to properly coordinate fault detection and clearance operations.
The attack can be executed remotely over the network without authentication, requiring no user interaction. The vulnerability affects the availability of the system while confidentiality and integrity remain unaffected.
Root Cause
The root cause is CWE-770: Allocation of Resources Without Limits or Throttling. The affected devices do not implement adequate rate limiting or traffic prioritization mechanisms to ensure that protection-critical communications receive preferential treatment over lower-priority network traffic. This design flaw allows an attacker to consume available resources by generating excessive network traffic, starving critical functions of the processing capacity they require.
Attack Vector
The attack leverages network-based access to the vulnerable devices. An attacker with network connectivity to the Relion 670/650 or SAM600-IO devices can send a high volume of network packets to exhaust system resources. The attack does not require any privileges or user interaction, making it relatively straightforward to execute from any network position with connectivity to the target device.
The attack mechanism involves overwhelming the device's network processing capabilities, which in turn degrades or disables the LDCM functionality. This can be achieved through various network flooding techniques targeting the device's communication interfaces.
Detection Methods for CVE-2025-2403
Indicators of Compromise
- Abnormally high network traffic volume directed at Relion 670/650 or SAM600-IO devices
- LDCM communication failures or timeouts in protection relay logs
- Increased CPU or memory utilization on affected devices
- Protection scheme communication alarms in substation SCADA systems
Detection Strategies
- Implement network baseline monitoring to detect anomalous traffic patterns targeting industrial control devices
- Configure alerting for LDCM communication failures or degradation events in protection relay systems
- Deploy network intrusion detection systems (IDS) with rules to identify potential DoS attack patterns against ICS/SCADA infrastructure
- Monitor device health metrics including CPU utilization, memory consumption, and network interface statistics
Monitoring Recommendations
- Enable logging on affected Relion and SAM600-IO devices and forward logs to a centralized SIEM platform
- Establish baseline communication patterns for LDCM traffic and alert on deviations
- Implement network traffic analysis at substation network boundaries to identify volumetric attacks
- Configure heartbeat monitoring for protection relay communications to detect availability issues promptly
How to Mitigate CVE-2025-2403
Immediate Actions Required
- Review network segmentation to ensure affected devices are isolated from untrusted network segments
- Implement firewall rules to restrict access to Relion 670/650 and SAM600-IO devices to authorized IP addresses only
- Enable rate limiting on network devices upstream of vulnerable equipment where possible
- Consult the Hitachi Energy security advisory for specific guidance and firmware updates
Patch Information
Hitachi Energy has published security guidance for this vulnerability. Operators should consult the official Hitachi Energy security advisory for detailed patch information, affected firmware versions, and remediation steps. The advisory is available through the Hitachi Energy Document Portal.
Organizations should prioritize testing and deploying any available firmware updates in a staging environment before applying to production systems, following established change management procedures for critical infrastructure.
Workarounds
- Implement network segmentation to isolate protection relay networks from general corporate or untrusted networks
- Deploy hardware firewalls or access control lists to restrict network access to only essential management and communication pathways
- Configure Quality of Service (QoS) policies on network infrastructure to prioritize protection-related traffic
- Consider deploying network-level rate limiting or traffic shaping to mitigate volumetric attack potential
- Establish out-of-band management capabilities to maintain administrative access during network-based attacks
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
