PatchSiren cyber security CVE debrief
CVE-2020-35198 Hitachi Energy CVE debrief
CVE-2020-35198 is a critical memory-corruption issue described as an integer overflow in Wind River VxWorks 7 calloc() size calculation. In the supplied CISA CSAF advisory, Hitachi Energy maps the issue to multiple Relion 670, Relion 650, and SAM-IO product versions and provides fixed-version updates for many affected releases. The advisory was initially published on 2021-12-16 and revised on 2025-05-27 to update the fixed-version table.
- Vendor
- Hitachi Energy
- Product
- Relion 670 series version 2.2.5 revisions up to 2.2.5.1
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2021-12-16
- Original CVE updated
- 2025-05-27
- Advisory published
- 2021-12-16
- Advisory updated
- 2025-05-27
Who should care
Organizations operating Hitachi Energy Relion 670, Relion 650, or SAM-IO devices, especially OT/ICS teams responsible for firmware management, patching, and outage planning. Security teams should also prioritize any environment where these products are network-reachable or support remote administration.
Technical summary
The issue is an integer overflow during memory block size calculation for calloc(), which can cause the allocator to reserve less memory than intended. That mismatch can lead to memory corruption. The supplied CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating a network-reachable, low-complexity condition with no privileges or user interaction required and potentially severe confidentiality, integrity, and availability impact.
Defensive priority
Immediate remediation for affected versions; treat as high-priority patching in OT maintenance windows.
Recommended defensive actions
- Upgrade affected Hitachi Energy products to the vendor-fixed versions listed in the advisory: 2.2.5.2, 2.2.4.3, 2.2.3.5, 2.2.2.5, or 2.2.1.8 as applicable.
- For versions covered only by mitigation guidance (Relion 670 1.1 to 2.2.0 all revisions and Relion 650 1.0 to 2.2.0 all revisions), follow the advisory's Mitigation Factors/Workaround section and limit exposure until a U
- Validate asset inventory to identify all deployed Relion 670, Relion 650, and SAM-IO instances and compare exact revision levels against the advisory's affected-product list.
- Prioritize any externally reachable or remotely administered deployments for faster remediation and temporary network segmentation if immediate upgrade is not possible.
- After updating, verify firmware/revision status and document compensating controls for any systems that cannot be patched immediately.
Evidence notes
The primary evidence is the CISA CSAF source item for ICSA-25-155-02, which lists CVE-2020-35198, the affected Hitachi Energy product versions, and the vendor remediations. The source record also states the underlying flaw as a calloc() size-calculation integer overflow in Wind River VxWorks 7 that can result in undersized allocation and memory corruption. The supplied timeline shows the CVE was published on 2021-12-16 and modified on 2025-05-27; the 2025 revision updated the fixed-version table. The corpus does not mark this CVE as KEV-listed.
Official resources
-
CVE-2020-35198 CVE record
CVE.org
-
CVE-2020-35198 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed in CISA CSAF on 2021-12-16 and revised on 2025-05-27 to update fixed versions. Not listed as KEV in the supplied corpus.