CVE-2025-13510
published 2025-12-02CVE-2025-13510: The Iskra iHUB and iHUB Lite smart metering gateway exposes its web management interface without requiring authentication, allowing unauthenticated users to…
PriorityP263critical9.3CVSS 4.0
AVNACLATNPRNUINVCHVIHVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
0.57%
42.9th percentile
The Iskra iHUB and iHUB Lite smart metering gateway exposes its web management interface without requiring authentication, allowing unauthenticated users to access and modify critical device settings.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| iskra | ihub_and_ihub_lite | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →The Iskra iHUB and iHUB Lite web management interface is exposed without authentication — detect unauthenticated HTTP requests to the device's web management interface (all versions affected) ↗
- →Monitor for unauthenticated access attempts to Iskra iHUB/iHUB Lite management interfaces that result in device reconfiguration, firmware update requests, or manipulation of connected metering systems ↗
- →Alert on network traffic to Iskra iHUB/iHUB Lite devices originating from outside the ICS network segment or from the internet, given the remote/low-complexity exploitability (CVSS v4 9.3, AV:N/AC:L) ↗
- ·All versions of Iskra iHUB and iHUB Lite are affected; there is no patched version available as the vendor did not respond to CISA coordination — treat all deployed devices as vulnerable ↗
- ·No known public exploitation has been reported at time of advisory publication, but the attack requires no credentials and no user interaction, making opportunistic exploitation straightforward ↗
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
Iskra iHUB and iHUB Lite
cisa_ics·2025-12-02·CVSS 9.3
[CRITICAL] Iskra iHUB and iHUB Lite
ICS Advisory
##
Iskra iHUB and iHUB Lite
Release DateDecember 02, 2025
Alert CodeICSA-25-336-02
Related topics:
Industrial Control System Vulnerabilities, Industrial Control Systems
View CSAF
## 1. EXECUTIVE SUMMARY
- CVSS v4 9.3
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Iskra
- Equipment: iHUB and iHUB Lite
- Vulnerability: Missing Authentication for Critical Function
## 2. RISK EVALUATION
Successful exploitation of this vulnerability could allow a remote attacker to reconfigure devices, update firmware, and manipulate connected systems without any credentials.
## 3. TECHNICAL DETAILS
## 3.1 AFFECTED PRODUCTS
The following versions of Iskra iHUB and iHUB Lite, a Smart Metering Gateway and Data Concentrator, are affected:
- i
GHSA
GHSA-wj6f-3cjx-4966: The Iskra iHUB and iHUB Lite smart metering gateway exposes its web management interface without requiring authentication, allowing unauthenticated us
ghsa_unreviewed·2025-12-02
CVE-2025-13510 [CRITICAL] CWE-306 GHSA-wj6f-3cjx-4966: The Iskra iHUB and iHUB Lite smart metering gateway exposes its web management interface without requiring authentication, allowing unauthenticated us
The Iskra iHUB and iHUB Lite smart metering gateway exposes its web management interface without requiring authentication, allowing unauthenticated users to access and modify critical device settings.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-12-02
Published