DuraComm DP-10iN-100-MU

Plan PatchCVSS 8.1ICS-CERT ICSA-25-203-01Jul 22, 2025

Attack path

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

DuraComm SPM-500 DP-10iN-100-MU firmware versions 4.10 and earlier contain vulnerabilities in input validation (CWE-79, CWE-306) and sensitive data protection (CWE-319) that could allow an authenticated attacker to disclose sensitive information or cause a denial-of-service condition.

What this means

What could happen

An authenticated attacker on your network could view sensitive configuration data from the DP-10iN-100-MU or force it to stop responding, disrupting whatever process it controls (power distribution monitoring, HVAC, water treatment, etc.).

Who's at risk

Water utilities, electric utilities, HVAC system operators, and other facility managers who use DuraComm SPM-500 DP-10iN-100-MU devices for monitoring or control. This affects any organization using this device for power distribution monitoring, environmental control, or critical facility operations.

How it could be exploited

An attacker with valid login credentials on your network could send malformed input to the SPM-500 web interface (CWE-79) to extract configuration data or exploit missing access controls (CWE-306) to access restricted functions. They could also intercept unencrypted sensitive data in transit (CWE-319) if the device is on an unsecured network segment.

Prerequisites

Valid user credentials for the SPM-500 DP-10iN-100-MU web interface
Network connectivity to the device management port
Device running firmware version 4.10 or earlier

Remotely exploitable from authenticated user accountsAffects control system monitoring/SCADA deviceInformation disclosure and denial-of-service potentialRequires valid credentials (reduces but does not eliminate risk)

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (1)

ProductAffected VersionsFix Status

SPM-500 DP-10iN-100-MU: <=4.10≤ 4.104.10A

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDRestrict network access to the DP-10iN-100-MU management interface to authorized engineering workstations only using firewall rules

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate SPM-500 DP-10iN-100-MU firmware to version 4.10A or later

Long-term hardening

0/2

HARDENINGPlace the DP-10iN-100-MU and all other control system devices behind a firewall, isolated from business networks and the Internet

HARDENINGIf remote access to the device is required, route it through a VPN with current security patches

CVEs (3)

CVE-2025-41425 CVE-2025-48733 CVE-2025-53703

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/32e5eb3d-c750-4163-9351-077308a50c6e

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.