PatchSiren cyber security CVE debrief
CVE-2024-2103 Schweitzer Engineering Laboratories CVE debrief
CVE-2024-2103 is a medium-severity vulnerability (CVSS 3.1: 6.5) affecting multiple Schweitzer Engineering Laboratories (SEL) 700 series protective relays used in industrial control systems and electric utility environments. The vulnerability involves the inclusion of undocumented features that become accessible when an attacker authenticates with privileged access credentials. Successful exploitation could cause the affected relay to behave unpredictably, potentially disrupting critical protection functions for generators, transformers, motors, and feeders. The vulnerability was disclosed on April 4, 2024, via CISA's ICS advisory program (ICSA-24-095-02). Nine distinct product-version combinations are affected across six relay product families, including the SEL-700BT Motor Bus Transfer Relay, SEL-700G Generator Protection Relay, SEL-710-5 Motor Protection Relay, SEL-751 Feeder Protection Relay, SEL-787-2/-3/-4 Transformer Protection Relay, and SEL-787Z High-Impedance Differential Relay. The vendor has released firmware updates to address this issue. Organizations operating these devices should prioritize patching, particularly in environments where relay malfunction could impact grid stability or equipment protection.
- Vendor
- Schweitzer Engineering Laboratories
- Product
- SEL-700BT Motor Bus Transfer Relay
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-04-04
- Original CVE updated
- 2024-04-04
- Advisory published
- 2024-04-04
- Advisory updated
- 2024-04-04
Who should care
Electric utilities, industrial facility operators, and critical infrastructure owners utilizing SEL 700 series protective relays for generator, transformer, motor, or feeder protection. Organizations subject to NERC CIP or other industrial cybersecurity regulations should prioritize assessment and remediation.
Technical summary
The vulnerability exists in the firmware of SEL 700 series protective relays and is categorized as 'Inclusion of Undocumented Features' (CWE-912). The attack vector is network-based (AV:N) with low attack complexity (AC:L), but requires high privileges (PR:H). No user interaction is required. Successful exploitation impacts integrity and availability (I:H, A:H) with no confidentiality impact. The vulnerability is not present in CISA's Known Exploited Vulnerabilities catalog. Affected firmware versions span multiple release trains (R100-V0 through R400-V0) across nine specific product-version combinations. Vendor fixes are available that update firmware to specified minimum versions (R301-V6, R302-V1, R302-V3, R400-V2 depending on product).
Defensive priority
medium
Recommended defensive actions
- Apply vendor firmware updates to affected SEL 700 series relays per the specific version guidance for each product model
- Restrict network access to relay management interfaces to authorized engineering workstations only
- Audit and rotate privileged credentials for relay access, enforcing multi-factor authentication where supported
- Monitor relay configuration and operational logs for unauthorized changes or anomalous behavior
- Review network segmentation between IT and OT environments to limit lateral movement paths to critical protection relays
- Validate backup and recovery procedures for relay configurations before applying firmware updates
Evidence notes
Vulnerability description and affected product list derived from CISA CSAF advisory ICSA-24-095-02. CVSS score and vector from source metadata. Remediation guidance extracted from vendor_fix entries in CSAF remediations array.
Official resources
-
CVE-2024-2103 CVE record
CVE.org
-
CVE-2024-2103 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-04-04