Iskra iHUB and iHUB Lite

Act Now9.1ICS-CERT ICSA-25-336-02Dec 2, 2025

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Iskra iHUB and iHUB Lite devices (all versions) contain a missing authentication vulnerability (CWE-306) that allows a remote attacker to reconfigure the device, update firmware, and manipulate connected systems without any credentials. The vulnerability affects all versions and no vendor fix is available. Iskra did not respond to CISA's request for coordination.

What this means

What could happen

An attacker could reconfigure the iHUB or iHUB Lite device and update its firmware remotely without credentials, potentially altering metering operations, data collection, or control settings across connected systems.

Who's at risk

Water utilities and municipal electric utilities using Iskra iHUB or iHUB Lite devices for meter data collection, aggregation, and telemetry should prioritize this advisory. Any organization that has these devices connected to its network and exposed to untrusted segments is at risk.

How it could be exploited

An attacker on the network segment where the iHUB/iHUB Lite is located can send unauthenticated requests directly to the device to reconfigure settings or push malicious firmware. No credentials are required to perform these actions.

Prerequisites

Network access to the iHUB or iHUB Lite device port
Device must be reachable from attacker's network position

remotely exploitableno authentication requiredlow complexityno patch availableaffects metering and data integrity

Exploitability

Low exploit probability (EPSS 0.2%)

Affected products (1)

ProductAffected VersionsFix Status

iHUB and iHUB Lite: vers:all/*All versionsNo fix (EOL)

Remediation & Mitigation

0/4

Do now

0/3

HARDENINGEnsure iHUB and iHUB Lite devices are not exposed to the internet; confirm no public-facing routes or port forwarding rules allow inbound connections

HARDENINGPlace iHUB and iHUB Lite devices behind firewall and isolate them from business networks; restrict network access to only authorized engineering systems

WORKAROUNDIf remote access to the device is required, implement a VPN tunnel to reach it rather than exposing it directly; ensure VPN is configured with current patches and strong authentication

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGMonitor iHUB and iHUB Lite for unexpected configuration changes or firmware updates; log all access attempts and alert on unauthenticated connection attempts

CVEs (1)

CVE-2025-13510

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/7117052f-7342-49ef-9ce9-5a9635af9e50