The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday published four new industrial control systems advisories detailing vulnerabilities in equipment from Delta Electronics, Fuji Electric, SunPower, and Hitachi Energy. The agency said these advisories provide critical technical information and mitigation guidance for asset owners and operators across the critical infrastructure sector.
The advisory covering Delta Electronics points to an “improper restriction of XML external entity reference” vulnerability in the company’s EIP Builder, an engineering tool used to build and manage EtherNet/IP networks. “Successful exploitation of this vulnerability could allow an attacker to potentially process dangerous external entities, resulting in disclosure of sensitive information.”
Deployed in the global critical manufacturing sector, CISA noted that the affected product is vulnerable to an XML external entity vulnerability, which could allow an attacker to disclose sensitive information. The vulnerability is tracked as CVE-2025-57704. It carries a CVSS v3.1 base score of 5.5, while the updated CVSS v4 rating places it higher at 6.7.
kimiya, working with Trend Micro Zero Day Initiative, reported this vulnerability to CISA. Delta Electronics recommends users update to V1.12. CISA warned that attackers with network access could exploit the vulnerabilities to manipulate configurations or disrupt operations, and urged operators to apply security updates and recommended hardening steps.
A second advisory highlighted vulnerabilities in Fuji Electric’s FRENIC-Loader 4 software, which is used with the company’s variable frequency drives. The flaws could allow arbitrary code execution or unauthorized system access, creating the potential for control hijacking or forced shutdown of industrial processes. Fuji Electric’s FRENIC-Loader 4 is affected in versions earlier than 1.4.0.1.
Deployed across commercial facilities, the advisory identified that the affected product is vulnerable to a deserialization of untrusted data when importing a file through a specified window, which may allow an attacker to execute arbitrary code. The vulnerability is tracked as CVE-2025-9365. It has a CVSS v3.1 base score of 7.8, and under CVSS v4, the score rises to 8.4.
kimiya also reported this vulnerability to CISA. Fuji Electric recommends users update to v1.4.0.1 or later.
CISA also disclosed weaknesses in SunPower’s PVS6 device, which plays a central role in aggregating data from photovoltaic systems and transmitting it to monitoring platforms. According to the agency, the vulnerabilities could compromise visibility into solar power generation assets and provide a pathway to broader disruption across renewable energy environments.
The advisory added that “Successful exploitation of this vulnerability could allow attackers to gain full access to the device, enabling them to replace firmware, modify settings, disable the device, create SSH tunnels, and manipulate attached devices.”
The SunPower PVS6’s BluetoothLE interface is vulnerable due to its use of hardcoded encryption parameters and publicly accessible protocol details. An attacker within Bluetooth range could exploit this vulnerability to gain full access to the device’s servicing interface. This access allows the attacker to perform actions such as firmware replacement, disabling power production, modifying grid settings, creating SSH tunnels, altering firewall settings, and manipulating connected devices. The vulnerability is tracked as CVE-2025-9696. It has a CVSS v3.1 base score of 9.6, while the CVSS v4 score is 9.4.
Deployed across the global energy sector, Dagan Henderson reported this vulnerability to CISA. However, SunPower did not respond to CISA’s attempt to coordinate these vulnerabilities.
The final CISA ICS advisory is an update to a previously released notice concerning Hitachi Energy’s Relion 670 and 650 series protection relays and SAM600-IO modules. These systems are essential to substation operations and high-voltage grid protection. The updated advisory expands on earlier findings, offering additional technical information and mitigation strategies for power sector operators.
Hitachi Energy confirmed that multiple product lines are affected. The Relion 650 is impacted in versions 2.2.4.4 and 2.2.5.6, as well as all versions from 2.2.6.0 to 2.2.6.2. The Relion 670 is affected in versions 2.2.2.6, 2.2.3.7, 2.2.4.4, and 2.2.5.6, along with all versions from 2.2.6.0 to 2.2.6.2. In addition, the SAM600-IO is vulnerable in version 2.2.5.6.
Deployed across the energy sector, CISA identified that a denial-of-service vulnerability due to improper prioritization of network traffic over protection mechanisms exists in the Relion 670/650 and SAM600-IO series devices that, if exploited, could potentially cause critical functions like LDCM (Line Distance Communication Module) to malfunction. The vulnerability is tracked as CVE-2025-2403. It has a CVSS v3.1 base score of 7.5, while the CVSS v4 score is 8.7.
Hitachi Energy PSIRT reported this vulnerability to CISA. Hitachi Energy outlined several specific workarounds and mitigations to reduce risk. For the Relion 670 series version 2.2.6 revisions up to 2.2.6.2 and the Relion 650 series version 2.2.6 revisions up to 2.2.6.2, the issue has been fixed in version 2.2.6.3, and users are advised to update to version 2.2.6.4 or later.
For the Relion 670 series version 2.2.5.6, the Relion 650 series version 2.2.5.6, and the SAM600-IO series version 2.2.5.6, the flaw has been resolved in version 2.2.5.7, with updates recommended to version 2.2.5.8 or later. For the Relion 670 series version 2.2.4.4 and the Relion 650 series version 2.2.4.4, users should update to version 2.2.4.5 or later. For all affected products, Hitachi Energy also recommends applying the general mitigation measures provided.
CISA encouraged asset owners, administrators, and security teams to review the advisories in full, apply vendor-issued patches, and adopt layered defense measures to safeguard against potential exploitation. While the agency said it has not observed active exploitation of the vulnerabilities, it emphasized that attackers continue to target operational technology systems as part of ongoing campaigns against critical infrastructure.
The latest advisories reflect a persistent trend of recurring security flaws across the industrial technology ecosystem. For organizations running operational technology, these updates are a reminder that vulnerabilities remain constant and that patching challenges, legacy systems, and operational risks must all be factored into defense strategies.
Just last week, CISA released nine ICS advisories, addressing cybersecurity vulnerabilities and risks for asset owners and operators across the critical infrastructure sector. The advisories cover urgent vulnerabilities in hardware and software, including CPU modules from Mitsubishi Electric, remote terminal units from Schneider Electric, CNC tools and communication managers from Delta Electronics, SCADA (supervisory control and data acquisition) platforms from GE Vernova, various Mitsubishi FA tools, and protection relay systems from Hitachi Energy.
