Alerts issued by CISA outline vulnerabilities in Industrial Control System (ICS) equipment from Delta, Fuji Electric, SunPower, and Hitachi Energy; they also offer strategies for risk reduction.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published four new advisories detailing potential cybersecurity risks and vulnerabilities in industrial control systems equipment from Delta Electronics, Fuji Electric, SunPower, and Hitachi Energy. These vulnerabilities could compromise the integrity, confidentiality, and availability of solar power generation assets, protection relays, and other critical infrastructure.

Vulnerabilities in Delta Electronics and Fuji Electric Equipment

CISA has disclosed an "improper restriction of XML external entity reference" vulnerability in Delta Electronics' EIP Builder, tracked as CVE-2025-57704. The affected product has a CVSS v3.1 base score of 5.5, but an updated CVSS v4 rating of 6.7. Delta Electric recommends users update to V1.12 to address this issue.

In a separate advisory, Fuji Electric warns of a deserialization of untrusted data vulnerability, tracked as CVE-2025-9365, in one of their products. This vulnerability has a CVSS v3.1 base score of 7.8 and an updated CVSS v4 score of 8.4. Fuji Electric advises users to update to v1.4.0.1 or later to address the issue.

Vulnerabilities in SunPower and Hitachi Energy Equipment

SunPower's PVS6 device has a vulnerability due to its use of hardcoded encryption parameters and publicly accessible protocol details. This vulnerability, tracked as CVE-2025-9696, has a CVSS v3.1 base score of 9.6 and a CVSS v4 score of 9.4. CISA also disclosed weaknesses in SunPower's PVS6 device, which could compromise visibility into solar power generation assets.

Hitachi Energy outlined several specific workarounds and mitigations to reduce risk in their Relion 670 and 650 series protection relays and SAM600-IO modules. The Relion 670 is affected in versions 2.2.2.6, 2.2.3.7, 2.2.4.4, and 2.2.5.6, along with all versions from 2.2.6.0 to 2.2.6.2. The Relion 650 is impacted in versions 2.2.4.4 and 2.2.5.6, as well as all versions from 2.2.6.0 to 2.2.6.2. The SAM600-IO is vulnerable in version 2.2.5.6.

For the Relion 670 series, the affected versions include 2.2.2.6, 2.2.3.7, 2.2.4.4, and 2.2.5.6, along with all versions from 2.2.6.0 to 2.2.6.2. For the Relion 650 series, the affected versions are 2.2.4.4 and 2.2.5.6, as well as all versions from 2.2.6.0 to 2.2.6.2. In the SAM600-IO series, the issue has been found in version 2.2.5.6. Hitachi Energy has resolved these flaws in the following versions:

For the Relion 670 series version 2.2.5.6, the Relion 650 series version 2.2.5.6, and the SAM600-IO series version 2.2.5.6, the flaw has been resolved in version 2.2.5.7, with updates recommended to version 2.2.5.8 or later.
For the Relion 670 series version 2.2.4.4 and the Relion 650 series version 2.2.4.4, users should update to version 2.2.4.5 or later.

The vulnerability in the SunPower PVS6 device was reported to CISA by the company Dragos, Inc. before the advisory was published.

Denial-of-Service Vulnerability in Relion 670/650 and SAM600-IO Series Devices

A denial-of-service vulnerability due to improper prioritization of network traffic over protection mechanisms exists in the Relion 670/650 and SAM600-IO series devices. CISA encourages asset owners, administrators, and security teams to review the advisories in full, apply vendor-issued patches, and adopt layered defense measures to safeguard against potential exploitation.

Second Advisory Highlights Vulnerabilities in Fuji Electric's FRENIC-Loader 4 Software

A second advisory highlights vulnerabilities in Fuji Electric's FRENIC-Loader 4 software, which could allow arbitrary code execution or unauthorized system access. The vulnerability is tracked as CVE-2025-2403 and has a CVSS v3.1 base score of 7.5, while the CVSS v4 score is 8.7.

Asset owners, administrators, and security teams are advised to review the advisories in full, apply vendor-issued patches, and adopt layered defense measures to safeguard against potential exploitation.

Alerts issued by CISA outline vulnerabilities in Industrial Control System (ICS) equipment from Delta, Fuji Electric, SunPower, and Hitachi Energy; they also offer strategies for risk reduction.