Contact
Red Hot Cyber
Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Cybersecurity is about sharing. Recognize the risk,
combat it, share your experiences, and encourage others
to do better than you.
Banner Ancharia Mobile 1
TM RedHotCyber 970x120 042543
Critical Vulnerability in Iskra iHUB Devices Exposed

Critical Vulnerability in Iskra iHUB Devices Exposed

3 December 2025 19:46

A serious security vulnerability has been discovered in smart metering infrastructure, which could expose utility networks to remote takeover risks.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a security advisory warning of a critical vulnerability in the Iskra iHUB and iHUB Lite devices, which attackers could exploit to bypass authentication entirely.

The vulnerability, identified as CVE-2025-13510 , has a base score of 9.1 (critical) in CVSS v3.1 and affects all versions of Iskra iHUB and iHUB Lite devices, typically used as smart metering gateways and data concentrators.

The vulnerability stems from a fundamental flaw in the device’s security architecture: the lack of authentication controls for critical functions. The CISA announcement states that the device “exposes its web management interface without authentication, allowing unauthorized users to access and modify critical device settings.”

Essentially, the control panel is unlocked and can be accessed without a username or password.

The potential impact of this vulnerability goes far beyond simple data breaches. Because the web interface controls the device’s core functions, an attacker who gained access would immediately gain administrator privileges.

The announcement warns : “Exploitation of this vulnerability could allow a remote attacker to reconfigure devices, update firmware, and manipulate connected systems without any credentials.” Malicious actors could exploit it to:

  1. Service interruption : Reconfiguring your device settings
  2. Establish persistent control : Load malicious firmware updates
  3. Lateral Penetration : Manipulation of the gateway’s downstream connection system

The situation was further complicated by the vendor’s failure to respond. CISA stated in its report that “Iskla did not respond to CISA’s request for coordination,” preventing affected organizations from obtaining official patches or a timeline for the fix. The vulnerability was initially reported to CISA by researcher Souvik Kandar.

Given the current lack of patches from vendors , CISA urges users to immediately take rigorous defensive measures to isolate these devices from the public Internet.

Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.

Cropped RHC 3d Transp2 1766828557 300x300
The editorial staff of Red Hot Cyber is composed of IT and cybersecurity professionals, supported by a network of qualified sources who also operate confidentially. The team works daily to analyze, verify, and publish news, insights, and reports on cybersecurity, technology, and digital threats, with a particular focus on the accuracy of information and the protection of sources. The information published is derived from direct research, field experience, and exclusive contributions from national and international operational contexts.