PatchSiren cyber security CVE debrief
CVE-2021-35534 Hitachi Energy CVE debrief
CVE-2021-35534 is an industrial-control vulnerability in Hitachi Energy Relion 670/650/SAM600-IO products. CISA and the vendor describe a database-schema weakness that can be abused after an attacker already has valid account credentials or a session ticket. Through the configuration tool using the proprietary ODBC protocol on TCP 2102, an attacker may manipulate database tables for privilege escalation, leading to unauthorized modification or permanent device disabling. The issue was publicly disclosed on 2021-11-04 and later updated in the advisory record, with the latest source revision dated 2025-02-25.
- Vendor
- Hitachi Energy
- Product
- Relion 670 series
- CVSS
- HIGH 7.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2021-11-04
- Original CVE updated
- 2025-02-25
- Advisory published
- 2021-11-04
- Advisory updated
- 2025-02-25
Who should care
OT and ICS operators using Hitachi Energy Relion 670 or 650 series, SAM600-IO deployments, and teams responsible for protection relays, substation automation, and configuration management should prioritize this advisory. Security teams should also care if any maintenance workflow exposes the configuration tool or TCP 2102 to broader-than-necessary access.
Technical summary
The advisory says the flaw is in the product’s internal database schema. Exploitation requires prior access to valid credentials for any account or a session ticket for an account. Once authenticated, an attacker can use the configuration tool over proprietary ODBC on TCP 2102 to manipulate database tables and escalate privileges. The reported impact is unauthorized modification or permanent disabling of the device. The advisory includes vendor fixes for multiple product/version branches, including Relion 670 series, Relion 650 series, and Relion SAM600-IO.
Defensive priority
High. The vulnerability affects operational technology devices and can result in device disablement or unauthorized changes, but it requires valid account access first. That makes access control hardening and timely patching the immediate priorities.
Recommended defensive actions
- Update affected systems to the vendor-fixed versions listed in the advisory, including Relion 670/650/SAM600-IO 2.2.1.8, Relion 670 2.2.2.5, Relion 670 2.2.3.5, Relion 670/650 2.2.4.3, Relion 670/650/SAM600-IO 2.2.5.2, 2
- Confirm which exact product family and revision is deployed before scheduling remediation, since affected and fixed versions vary by branch.
- Restrict and monitor access to the configuration tool and the TCP 2102 ODBC service so only authorized maintenance systems and users can reach it.
- Protect account credentials and session tickets with strong access control, least privilege, and secure handling of remote or shared maintenance workflows.
- Use CISA’s industrial-control security guidance and defense-in-depth practices to segment OT assets and limit management-plane exposure.
- Validate that no unauthorized configuration changes or unexpected device disablement events have occurred on exposed relays and related systems.
Evidence notes
All substantive claims are taken from the supplied CISA CSAF advisory content and the referenced vendor/CISA links. The advisory states that exploitation requires prior credential or session-ticket access and that the configuration tool uses proprietary ODBC over TCP 2102. The supplied source also lists affected product families, version-specific remediations, and no KEV designation.
Official resources
-
CVE-2021-35534 CVE record
CVE.org
-
CVE-2021-35534 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed in the CISA CSAF advisory and associated vendor materials on 2021-11-04; the source record was later updated, most recently on 2025-02-25.