Critical Vulnerability in Iskra iHUB Devices Exposed
Red Hot Cyber
Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Search
Enterprise BusinessLog 320x200 1
LECS 970x120 1
Critical Vulnerability in Iskra iHUB Devices Exposed

Critical Vulnerability in Iskra iHUB Devices Exposed

Redazione RHC : 3 December 2025 19:46

A serious security vulnerability has been discovered in smart metering infrastructure, which could expose utility networks to remote takeover risks.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a security advisory warning of a critical vulnerability in the Iskra iHUB and iHUB Lite devices, which attackers could exploit to bypass authentication entirely.

The vulnerability, identified as CVE-2025-13510 , has a base score of 9.1 (critical) in CVSS v3.1 and affects all versions of Iskra iHUB and iHUB Lite devices, typically used as smart metering gateways and data concentrators.

The vulnerability stems from a fundamental flaw in the device’s security architecture: the lack of authentication controls for critical functions. The CISA announcement states that the device “exposes its web management interface without authentication, allowing unauthorized users to access and modify critical device settings.”

Essentially, the control panel is unlocked and can be accessed without a username or password.

The potential impact of this vulnerability goes far beyond simple data breaches. Because the web interface controls the device’s core functions, an attacker who gained access would immediately gain administrator privileges.

The announcement warns : “Exploitation of this vulnerability could allow a remote attacker to reconfigure devices, update firmware, and manipulate connected systems without any credentials.” Malicious actors could exploit it to:

  1. Service interruption : Reconfiguring your device settings
  2. Establish persistent control : Load malicious firmware updates
  3. Lateral Penetration : Manipulation of the gateway’s downstream connection system

The situation was further complicated by the vendor’s failure to respond. CISA stated in its report that “Iskla did not respond to CISA’s request for coordination,” preventing affected organizations from obtaining official patches or a timeline for the fix. The vulnerability was initially reported to CISA by researcher Souvik Kandar.

Given the current lack of patches from vendors , CISA urges users to immediately take rigorous defensive measures to isolate these devices from the public Internet.

  • CISA alert
  • critical infrastructure protection
  • CVE-2025-13510
  • cybersecurity news
  • industrial control systems
  • IoT security threats
  • Iskra iHUB vulnerability
  • remote authentication bypass
  • smart grid security
  • smart metering security risks
Immagine del sitoRedazione
The editorial team of Red Hot Cyber consists of a group of individuals and anonymous sources who actively collaborate to provide early information and news on cybersecurity and computing in general.

Lista degli articoli