CISA issues alert on Iskra iHUB authentication flaw

Iskra iHUB and iHUB Lite smart metering gateways contain a Missing Authentication for Critical Function that allows remote actors to reach the device management interface and change configuration and firmware without providing credentials.

The affected products are iHUB and iHUB Lite: All Versions. The issue is classified as Missing Authentication for Critical Function CWE-306 and stems from the web management interface exposing management functions without requiring authentication, permitting unauthenticated users to access and modify critical device settings. CVE-2025-13510 has been assigned; a Common Vulnerability Scoring System (CVSS) v3.1 base score of 9.1 was calculated with vector (Antivirus Software (AV):N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N). A CVSS v4 base score of 9.3 was calculated with vector Antivirus Software (AV):N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N. CRITICAL INFRASTRUCTURE SECTORS: Energy; COUNTRIES/AREAS DEPLOYED: Worldwide; COMPANY HEADQUARTERS LOCATION: Slovenia. The vulnerability was reported to CISA by Souvik Kandar.

Successful exploitation could allow a remote attacker to reconfigure devices, update firmware, and manipulate connected systems without any credentials.

Iskra Decentralized Identity (DID) not respond to CISA's request for coordination; CISA advises contacting Iskra through the company's contact page for additional information. No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

CISA recommends users take defensive measures to minimize network exposure for all control system devices and systems, ensuring they are not accessible from the Internet. CISA also advises locating control system networks and remote devices behind firewalls and isolating them from business networks. When remote access is required, CISA advises using more secure methods such as Virtual Private Networks (VPNs), noting VPNs may have vulnerabilities and should be updated to the most current version available and that a Virtual Private Network (VPN) is only as secure as the connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures, points to control systems security recommended practices on the ICS webpage including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies, references additional mitigation guidance in ICS-TIP-12-146-01B, and advises organizations observing suspected malicious activity to follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

Cognizant extends partnership with Kohler

Cribl receives FedRAMP authorization for Cribl.Cloud Government

ISC2 earns ANAB accreditation for nine self-paced certification courses