cbcvebase.
CVE-2025-13510
published 2025-12-02

CVE-2025-13510: The Iskra iHUB and iHUB Lite smart metering gateway exposes its web management interface without requiring authentication, allowing unauthenticated users to…

PriorityP263critical9.3CVSS 4.0
AVNACLATNPRNUINVCHVIHVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
0.57%
42.9th percentile
The Iskra iHUB and iHUB Lite smart metering gateway exposes its web management interface without requiring authentication, allowing unauthenticated users to access and modify critical device settings.

Affected

1 ranges
VendorProductVersion rangeFixed in
iskraihub_and_ihub_lite

Detection & IOCsextracted from sources · hover to see the quote

  • The Iskra iHUB and iHUB Lite web management interface is exposed without authentication — detect unauthenticated HTTP requests to the device's web management interface (all versions affected)
  • Monitor for unauthenticated access attempts to Iskra iHUB/iHUB Lite management interfaces that result in device reconfiguration, firmware update requests, or manipulation of connected metering systems
  • Alert on network traffic to Iskra iHUB/iHUB Lite devices originating from outside the ICS network segment or from the internet, given the remote/low-complexity exploitability (CVSS v4 9.3, AV:N/AC:L)
  • ·All versions of Iskra iHUB and iHUB Lite are affected; there is no patched version available as the vendor did not respond to CISA coordination — treat all deployed devices as vulnerable
  • ·No known public exploitation has been reported at time of advisory publication, but the attack requires no credentials and no user interaction, making opportunistic exploitation straightforward
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.