CVE-2025-46750 is a medium-severity vulnerability affecting the BIOS of Schweitzer Engineering Laboratories (SEL) SEL-3350-1 devices, specifically in BIOS packages prior to versions 1.3.49152.117 or 2.6.49152.98. The vulnerability is classified under CWE-305, which relates to authentication bypass. The issue allows a local attacker with high privileges (PR:H) to bypass password authentication mechanisms protecting BIOS settings. This is achieved by importing a BIOS settings file that contains no password, effectively circumventing the intended password protection. The vulnerability does not impact confidentiality but compromises the integrity of BIOS settings, as unauthorized changes can be made without proper authentication. The attack vector is local (AV:L), requiring the attacker to have physical or local system access, and no user interaction is needed (UI:N). The scope remains unchanged (S:U), meaning the impact is confined to the vulnerable component without affecting other system components. The CVSS v3.1 base score is 4.4, reflecting a medium severity level. No known exploits are currently reported in the wild, and no patches or mitigation links have been provided at the time of publication. This vulnerability is significant because BIOS settings control low-level hardware configurations and security features; unauthorized modification could lead to persistent system compromise, disablement of security controls, or facilitate further attacks at the firmware or operating system level.

For European organizations, especially those operating critical infrastructure or industrial control systems where SEL products are commonly deployed, this vulnerability poses a risk to system integrity and operational reliability. Unauthorized BIOS configuration changes could disrupt device functionality, degrade system security, or enable attackers to implant persistent threats that survive OS reinstallation. Given that SEL devices are often used in power generation, transmission, and distribution sectors, exploitation could lead to operational outages or safety incidents. Although the attack requires local access and high privileges, insider threats or attackers gaining physical access to facilities could leverage this vulnerability to undermine system trustworthiness. The lack of confidentiality impact reduces the risk of data leakage, but the integrity compromise could have cascading effects on system availability and safety-critical processes. European organizations with SEL-3350-1 devices should consider this vulnerability in their risk assessments, particularly in environments with less stringent physical security controls or where BIOS-level protections are critical for compliance and operational security.

To mitigate this vulnerability, European organizations should: 1) Immediately verify the BIOS version on all SEL-3350-1 devices and plan for prompt updates to versions 1.3.49152.117 or 2.6.49152.98 once patches are released by Schweitzer Engineering Laboratories. 2) Restrict physical and local access to devices to trusted personnel only, employing strict access control and monitoring to prevent unauthorized local interactions. 3) Implement robust logging and alerting for BIOS configuration changes to detect suspicious activity early. 4) Use hardware security modules or tamper-evident seals to detect unauthorized physical access. 5) Conduct regular security audits and penetration tests focusing on local privilege escalation and BIOS security. 6) Coordinate with SEL support channels to obtain official patches or workarounds and stay informed about any emerging exploits or updates. 7) Consider network segmentation and isolation of critical SEL devices to limit exposure to insider threats. These measures go beyond generic advice by focusing on local access control, monitoring BIOS integrity, and proactive patch management tailored to the operational context of SEL devices.