DuraComm DP-10iN-100-MU

Plan Patch8.1ICS-CERT ICSA-25-203-01Jul 22, 2025

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

DuraComm SPM-500 DP-10iN-100-MU devices in versions 4.10 and earlier contain multiple vulnerabilities (CWE-79 cross-site scripting, CWE-306 missing authentication, CWE-319 cleartext transmission) that could allow an authenticated attacker to disclose sensitive information or cause a denial-of-service condition. The device is accessible over the network with low attack complexity once an attacker has credentials.

What this means

What could happen

An attacker with engineering credentials could view sensitive configuration or operational data from the device, or disrupt its normal operation by triggering a denial-of-service condition. If this device manages critical process control or monitoring, such disruption could affect plant operations or data integrity.

Who's at risk

Water utilities and municipal electric facilities using DuraComm SPM-500 DP-10iN-100-MU equipment for monitoring, control, or data acquisition should evaluate their exposure. This device is typically used for remote site communication, telemetry, or RTU (Remote Terminal Unit) functionality. Any facility relying on this equipment for process visibility or control should assess the impact of a potential denial-of-service or data disclosure event.

How it could be exploited

An attacker with valid engineering workstation credentials could authenticate to the device's web interface over the network. Once authenticated, the attacker could exploit missing input validation (CWE-79) to inject commands, abuse missing authentication checks on specific functions (CWE-306), or intercept unencrypted data (CWE-319) to extract process or configuration information, or craft requests to trigger resource exhaustion and stop the device's normal function.

Prerequisites

Valid engineering workstation credentials (username and password)
Network access to the SPM-500 DP-10iN-100-MU device on its management port (typically HTTP/HTTPS)
Device must be running firmware version 4.10 or earlier

Remotely exploitableRequires valid credentials to exploitLow attack complexityCleartext credential transmission (CWE-319)Missing authentication on sensitive functions (CWE-306)No patch currently available—vendor is distributing patch via direct contact only

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (1)

ProductAffected VersionsFix Status

SPM-500 DP-10iN-100-MU: <=4.10≤ 4.104.10A

Remediation & Mitigation

0/5

Do now

0/1

WORKAROUNDRestrict network access to the SPM-500 management interface: place the device behind a firewall and configure access control lists to allow only authorized engineering workstations by IP address

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HOTFIXContact DuraComm directly to obtain and deploy firmware version 4.10A to all affected SPM-500 DP-10iN-100-MU devices

HARDENINGIf remote access to the SPM-500 is required, require use of a VPN and enforce strong authentication (e.g., multi-factor authentication) for all access

HARDENINGEnsure all credentials used to access the SPM-500 are unique, strong, and managed securely; disable any default or shared engineering accounts

Long-term hardening

0/1

HARDENINGSegment the control system network from the business network to prevent lateral movement if an attacker gains credentials

CVEs (3)

CVE-2025-41425 CVE-2025-48733 CVE-2025-53703

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/32e5eb3d-c750-4163-9351-077308a50c6e