CISA Warns of Vulnerability in US Power Grid Systems

Published 2 hours ago
CISA Warns of Vulnerability in US Power Grid Systems

CISA and intelligence partners have warned that non-state actors, particularly those from China, are pre-positioning themselves within U.S. critical infrastructure, including power grid systems, to mount disruptive cyberattacks. These threats target vulnerable operational technology (OT) and legacy components, often exploiting weak authentication and edge devices.  

Key vulnerabilities and Risks 

  • Targeted infrastructure: increased cyber threats target renewable energy systems, such as solar and wind installations, and electricity grid management devices that help operate and monitor the power grid.  
  • Prepositioning attacks—such as Chinese state‑sponsored access (e.g., Volt Typhoon)—have compromised IT networks to enable future disciples.  
  • Specific threats, column, malware capabilities, inflow, targeting remote units (RTUs), and breaking industrial control system (ICS) protocols to degrade reliability  

Mitigation And Actionable Advice 

CISA encourages organizations to take immediate action:  

  • Enhance authentication: implement strict MFA, and eliminate default credentials.  
  • Ensure control systems are not directly accessible from the internet. Remove unnecessary network exposure.  
  • Monitoring column: Implement continuous monitoring programs to detect anomalies as highlighted on the CISA ICS web page.  
  • Review advisories: organizations should review specific advisories, such as the Superpower Sun Power PVS 6 device vulnerability (CVE 2025-9696).  

The US Cybersecurity and Infrastructure Security Agency (CISA) published four new advisories on industrial control systems on Tuesday. These advisories detail vulnerabilities in equipment from Delta Electronics, Fuji Electric, Sun Power, and Hitachi Energy. The agency said these advisories provide essential technical information and mitigation guidance for asset owners and operators across the critical infrastructure sector.  

The advisory covering Delta Electronics points to an improper restriction of XML external entity reference vulnerability in the company’s EIP Builder, an engineering tool used to build and manage Ethernet/IP networks. Successful exploitation of this vulnerability could allow an attacker to potentially process dangerous external entities, resulting in the disclosure of sensitive information.  

Deployed in the global critical manufacturing sector, CISA noted that the affected product is vulnerable to an XML external entity vulnerability, which could allow an attacker to disclose sensitive information. The vulnerability is tracked as CSCVE 2025.577704. It carries a CVSS v3.1 base score of 5.5. The updated CVSS v4 rating is 6.7.  

KIMIYA, together with the Trend Micro Zero Day Initiative, reported this vulnerability to CISA. Delta Electronics recommends users update to V1.12 CISA 1. Attackers with network access could exploit the flaw to change configurations or disrupt operations. The company urges operators to apply security updates and recommended hardening steps.  

A second advisory highlighted vulnerabilities in Fuji Electric’s FRENIC Loader 4 software, which is used with the company’s variable frequency drives. The flaws could allow arbitrary code execution or unauthorized system access, potentially enabling control hijacking or the forced shutdown of industrial processes. Fuji Electric’s FRE NIC Loader 4 is affected in versions earlier than 1.4.0.1.  

Deployed across commercial facilities, the advisory identified that the affected product is vulnerable to a deserialization of untrusted data when importing a file through a specified window, which may allow an attacker to execute arbitrary code. The vulnerability is tracked as CVE-2025-969365. It has a CVSS v3.1 base score of 7.8, and in CVSS v4, the score rises to 8.4.  

Kimiya also reported this vulnerability to CISA. Fuji Electric recommends users update to V1.1.4.0.1. CISA also disclosed weaknesses in SunPower’s PVS6 device. The device aggregates data from photovoltaic systems and sends it to monitoring platforms. According to CISA, the flaws could compromise visibility into solar assets. They may also allow broader disruption across renewable energy environments.  

The advisory added that successful exploitation of this vulnerability could allow attackers full access to the device, enabling them to replace firmware (the device’s permanent software), modify settings, disable the device, create secure shell (SSH) tunnels for remote access, and manipulate attached devices.  

The SunPower PVS 6’s Bluetooth Low Energy (LE) SAR interface is vulnerable due to its use of hard-coded encryption parameters and publicly accessible protocol details. An attacker within Bluetooth range could exploit this vulnerability to gain full access to the device’s servicing interface. This access allows actions such as replacing the firmware (the permanent controlling software), disabling power production, changing grid settings, creating SSH (secure shell) tunnels for remote access, altering firewall settings, and manipulating connected devices. The vulnerability is tracked as CVE-2025-9696. It has a CVSS (Common Vulnerability Scoring System) v3.1 base score of 9.6, while the CVSS v4 score is 9.4.  

Deployed across the global energy sector, Dagan and Henderson reported this vulnerability to CISA. However, SunPower did not respond to two CISS attempts to coordinate on these vulnerabilities. The last CISA ICS advisory updates a previous notice on Hitachi Energy’s Real Relion 670 and 650 series protection relays and SAM 600 IO modules. These systems are crucial for substation operations and high-voltage grid protection. The updated advisory gives more technical information and new mitigation strategies for power-sector operators.tors.  

Hitachi Energy confirmed that multiple product lines are affected. The Relion 650 is impacted in versions 2.2.4.4 and 2.2.5.6, as well as all versions from 2.2.6.0 to 2.2.6.2. The Relion 672 is affected in versions 2.2.2.6, 2.2.3.7, 2.2.4.4, and 2.2.5.6, as well as all versions from 2.2.6.0 to 2.2.2.6.2. Additionally, the SAM 600 IO is vulnerable in version 2.2.5.6.  

Deployed across the energy sector, CISA identified a denial-of-service vulnerability due to improper prioritization of network traffic over protection mechanisms in the Relion 670/650 and SAM 600 I/O series devices, which, if exploited, could cause critical functions, such as the LDC (line distance communication module), to malfunction. The vulnerability is tracked as CVE-2025-2403. It has a CVSS v3.1 base score of 7.5, while the CVSS v4 score is 8.7.  

Hitar G Energy PSIRT reported this vulnerability to CISA. Hitachi Energy outlined several specific workarounds and motivations to reduce risk for the Relion 670 series, version 2.2.6 revisions up to 2.2.6.2, and the Relion 650 series, version 2.2.6 revisions up to 2.2.6.2. The issue has been fixed in version 2.2.6.3, and users are advised to update to version 2.2.6.4 or later.  

For the Relion 670 series version 2.2.5.6, the Relion 650 series version 2.2.5.6, and the SAM 600 IO series version 2.2.5.6, the flaw has been resolved in version 2.2.5.7, with updates recommended to version 2.2.5.8 or later. For the Relion 670 series (version 2.2.4.4) and the Relion 650 series (version 2.2.4), users should update to version 2.2.4.5 or later for all affected products. Hitachi Energy also recommends applying the general mitigation measures provided.  

CISA encouraged asset owners, administrators, and security teams to review the advisories in full, apply vendor-issued patches, and adopt layered defense measures to safeguard against potential exploitation. While the agency said it has not observed active exploitation of the vulnerabilities, it emphasized that attackers continue to target operational technology systems in ongoing campaigns against critical infrastructure.  

The latest advisories reflect a persistent trend of recurring security flaws across the industrial technology ecosystem. In operational technology, these updates are a reminder that vulnerabilities persist and that patching challenges, legacy systems, and operational risks must be factored into defense strategies.  

Just last week, CISA released nine ICS advisories addressing cybersecurity vulnerabilities and risks for asset owners and operators across the critical infrastructure sector. The advisories cover urgent vulnerabilities in hardware and software, including CPU modules from Mitsubishi Electric, remote terminal units from Schneider Electric, CNC tools and communications from Delta Electronics, SCADA (supervisory control and data acquisition) platforms from GE Vernova, and various Mitsubishi FA tools and protection relay systems from Hitachi Energy.  

Source: CISA advisories detail ICS flaws in Delta, Fuji Electric, SunPower, Hitachi Energy hardware; provide mitigation 

Amazon
Harish Shenoy

Harish Shenoy

Total Post: 666

Harish Shenoy | Technology Journalist Harish Shenoy is a veteran technology journalist at Xthe with over 21 years of experience spanning tech, health, finance, and future technology. Specializing in semiconductor roadmaps, enterprise AI infrastructure, and consumer hardware, his reporting is driven by primary-source verification and official corporate disclosures. With more than a decade of focused writing across the US, UK, Australia, Canada, and India, Harish maintains a strict commitment to factual, non-sensationalized reporting on the economic and logistical shifts within the global tech sector. His current work centers on the technical evolution of "agentic AI" and next-generation silicon.

Related Article

News
Rackspace Filing Signals Possible Shift In Cloud Strategy

News
FBI Flags Cyber Incident Involving Surveillance Systems 

Leave a Reply

Your email address will not be published. Required fields are marked *