Iskra iHUB and iHUB Lite

Plan PatchCVSS 9.1ICS-CERT ICSA-25-336-02Dec 2, 2025

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Iskra iHUB and iHUB Lite devices contain an authentication bypass vulnerability (CWE-306) affecting all versions. A remote attacker can reconfigure devices, update firmware, and manipulate connected systems without providing any credentials. The vulnerability has a CVSS score of 9.1 and affects the device's ability to secure administrative functions. Iskra has not released a patch and did not respond to CISA coordination requests.

What this means

What could happen

An attacker without credentials could remotely reconfigure Iskra iHUB devices, update their firmware, and manipulate connected systems, potentially disrupting energy distribution or measurement operations. This affects devices that manage critical metering, control, and data functions in utility networks.

Who's at risk

Iskra iHUB and iHUB Lite devices used in utility smart metering, energy management, and system control deployments. This affects organizations responsible for electricity distribution, metering infrastructure, and any industrial control systems that rely on Iskra hubs for device management and data collection.

How it could be exploited

An attacker on the network (or internet if the device is exposed) sends a crafted request to the iHUB management interface. The device accepts the request without requiring authentication and executes the attacker's configuration or firmware update commands, allowing modification of device behavior and connected systems.

Prerequisites

Network access to the iHUB management port/interface
Device is reachable from the attacker's network (may be direct internet access if not firewalled)

remotely exploitableno authentication requiredlow complexityno patch availablecritical severity (CVSS 9.1)

Exploitability

Unlikely to be exploited — EPSS score 0.2%

Affected products (1)

ProductAffected VersionsFix Status

iHUB and iHUB Lite: vers:all/*All versionsNo fix (EOL)

Remediation & Mitigation

0/5

Do now

0/2

HARDENINGRestrict network access to iHUB devices using firewall rules; block internet-facing access and allow only trusted administrative networks and VPN connections

HARDENINGConduct a network inventory to identify all exposed iHUB and iHUB Lite devices and assess current firewall/access controls

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGMonitor iHUB devices for unexpected configuration or firmware changes; establish logging and alerting on management interface access

Mitigations - no patch available

0/2

iHUB and iHUB Lite: vers:all/* has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGSegment iHUB devices behind a firewall on a separate network from business IT systems and the internet

HARDENINGIf remote management is required, enforce access only through a VPN with current patches and strong authentication

CVEs (1)

CVE-2025-13510

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/7117052f-7342-49ef-9ce9-5a9635af9e50

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.