CISA Warns: Critical Iskra iHUB Flaw (CVE-2025-13510) Allows Unauthenticated Smart Metering Takeover
Ddos 
A critical security vacuum has been discovered in smart metering infrastructure, potentially leaving utility networks exposed to remote takeover. The Cybersecurity and Infrastructure Security Agency (CISA) has issued an advisory regarding a severe vulnerability in Iskra’s iHUB and iHUB Lite devices—a flaw that allows attackers to bypass authentication entirely.
The vulnerability, tracked as CVE-2025-13510, carries a critical CVSS v3.1 base score of 9.1. It affects all versions of the Iskra iHUB and iHUB Lite, devices commonly used as smart metering gateways and data concentrators.
The issue stems from a fundamental failure in the device’s security architecture: a missing authentication check for critical functions. According to the CISA advisory, the device “exposes its web management interface without requiring authentication, allowing unauthenticated users to access and modify critical device settings.”
Essentially, the administrative panel is left unlocked, requiring no username or password to access.
The potential impact of this flaw extends far beyond simple data leakage. Because the web interface controls the device’s core functions, an attacker who gains access effectively becomes the administrator.
The advisory warns that “successful exploitation of this vulnerability could allow a remote attacker to reconfigure devices, update firmware, and manipulate connected systems without any credentials.”
This level of access could allow malicious actors to:
- Disrupt Services: By reconfiguring the device settings.
- Establish Persistence: By uploading malicious firmware updates.
- Pivot Attacks: By manipulating connected systems downstream from the gateway.
Complicating the situation is the lack of a response from the manufacturer. CISA noted in their report that “Iskra did not respond to CISA’s request for coordination,” leaving affected organizations without an official patch or timeline for a fix. The vulnerability was originally reported to CISA by researcher Souvik Kandar.
With no vendor patch currently available, CISA is urging users to implement strict defensive measures immediately to isolate these devices from the public internet.
Donate