CVE-2025-48018 is a high-severity vulnerability classified under CWE-502, which involves deserialization of untrusted data in the Schweitzer Engineering Laboratories (SEL) SEL-5030 acSELerator QuickSet Software. This software is used for configuring and managing SEL protective relays, which are critical components in electrical power systems for monitoring and controlling electrical grids. The vulnerability allows an authenticated user to modify application state data by exploiting unsafe deserialization processes. Deserialization vulnerabilities occur when untrusted input is deserialized without proper validation, potentially allowing attackers to manipulate the internal state of an application, execute arbitrary code, or cause denial of service. In this case, the attacker must have some level of authentication (low privileges) and user interaction is required, but the impact is severe, affecting confidentiality, integrity, and availability of the system. The CVSS 3.1 score is 7.5 (high), with vector AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H, indicating local attack vector, high attack complexity, low privileges required, user interaction needed, scope changed, and high impact on confidentiality, integrity, and availability. Although no known exploits are reported in the wild yet, the vulnerability poses a significant risk to critical infrastructure environments where SEL devices are deployed. The lack of available patches at the time of publication increases the urgency for mitigation and monitoring. Given the critical role of SEL devices in power grid stability and security, exploitation could lead to unauthorized control or disruption of electrical systems, potentially causing widespread outages or damage to physical infrastructure.

For European organizations, especially those involved in energy production, transmission, and distribution, this vulnerability presents a substantial threat. SEL protective relays are widely used in industrial control systems (ICS) and supervisory control and data acquisition (SCADA) systems across Europe’s power grids. Exploitation could lead to unauthorized modification of relay configurations, resulting in incorrect protective actions, grid instability, or outages. The compromise of confidentiality could expose sensitive operational data, while integrity and availability impacts could disrupt power delivery, affecting critical services and economic activities. Given the interconnected nature of European power networks, an incident in one country could have cascading effects regionally. Additionally, the requirement for authentication and user interaction suggests insider threats or compromised credentials could be leveraged by attackers. The high attack complexity somewhat limits mass exploitation but targeted attacks against critical infrastructure operators remain a serious concern. The absence of patches means organizations must rely on compensating controls to reduce risk until official fixes are available.

1. Implement strict access controls and multi-factor authentication (MFA) for all users of the SEL-5030 acSELerator QuickSet Software to reduce the risk of unauthorized authenticated access. 2. Conduct thorough monitoring and logging of all configuration changes and user activities within the software to detect suspicious behavior early. 3. Isolate the management network segment where the SEL software operates, limiting access to trusted personnel and systems only. 4. Employ network segmentation and firewall rules to restrict communication to and from SEL devices, minimizing exposure to potential attackers. 5. Educate and train staff on the risks of social engineering and phishing attacks that could lead to credential compromise or user interaction exploitation. 6. Regularly audit and review user privileges to ensure the principle of least privilege is enforced. 7. Until patches are released, consider deploying application whitelisting or sandboxing techniques to prevent execution of unauthorized code resulting from deserialization attacks. 8. Engage with Schweitzer Engineering Laboratories for timely updates and apply patches immediately once available. 9. Perform vulnerability scanning and penetration testing focused on ICS environments to identify and remediate related weaknesses.