A severe authentication vulnerability has been discovered in Iskra’s iHUB and iHUB Lite intelligent metering gateways, widely deployed across global energy networks. Tracked as CVE-2025-13510, this flaw carries a CVSS v4 score of 9.3, signaling an exploit that requires minimal technical complexity for attackers.
What Makes This Vulnerability Dangerous?
The issue stems from the absence of an authentication mechanism on the web management interface of affected devices. This oversight allows unauthenticated remote attackers to:
- Access the device’s control panel without credentials
- Reconfigure critical settings
- Update firmware
- Manipulate connected systems within energy networks
Given the widespread deployment of these devices, the impact on critical infrastructure could be catastrophic.
Affected Products and Technical Details
| Metric | Details |
|---|---|
| CVE ID | CVE-2025-13510 |
| Affected Products | iHUB and iHUB Lite (All Versions) |
| Vulnerability Type | Missing Authentication for Critical Function (CWE-306) |
| CVSS v4 Score | 9.3 |
| Attack Vector | Network-based, remotely exploitable |
Vendor Response and Industry Concern
Despite the severity, Iskra has not responded to CISA’s coordination requests, leaving organizations without official patches or guidance. This lack of vendor support forces operators to rely on defensive mitigation strategies.
Recommended Mitigation Steps
CISA advises organizations to implement defense-in-depth strategies, including:
- Network Segmentation: Isolate control system infrastructure from internet-facing networks
- Firewalls & Restricted Access: Deploy devices behind firewalls with strict access controls
- VPN for Remote Administration: Use secure VPNs for any remote management
- Continuous Monitoring: Track suspicious administrative access attempts and anomalous configuration changes
- Risk Assessment: Conduct thorough evaluations before implementing measures
Report any suspected malicious activity to CISA for correlation with other incidents. Additional guidance and best practices are available at cisa.gov/ics.
Why This Matters
Energy infrastructure is a prime target for cyberattacks. Vulnerabilities like CVE-2025-13510 highlight the urgent need for secure device design, proactive vendor support, and robust cybersecurity frameworks to protect critical assets.
