Iskra iHUB Hacked Wide Open: Unauthenticated Access Exposes Smart Metering Gateways (CVE-2025-13510)

Overview

A critical vulnerability, identified as CVE-2025-13510, has been discovered in the Iskra iHUB and iHUB Lite smart metering gateway. This vulnerability allows unauthenticated users to access the web management interface without requiring any credentials. This poses a significant security risk, potentially allowing malicious actors to access and modify critical device settings.

This advisory is based on information published on December 2nd, 2025. Immediate action is recommended to mitigate this risk.

Technical Details

CVE-2025-13510 stems from the lack of proper authentication controls on the web management interface of the Iskra iHUB and iHUB Lite devices. An attacker on the same network (or with network access to the device) can simply navigate to the device’s web interface (typically on port 80 or 443) and gain full access to configuration settings. No username or password is required.

CVSS Analysis

Currently, a CVSS score has not yet been assigned to CVE-2025-13510, nor is a severity rating assigned by NIST. However, the potential impact of this vulnerability is high. Due to the ability to modify critical device settings without authentication, this vulnerability should be considered critical. Awaiting formal CVSS score is prudent, but don’t delay taking action.

Possible Impact

Successful exploitation of CVE-2025-13510 could lead to a variety of severe consequences, including:

• Device Configuration Manipulation: Attackers could alter device settings, potentially disrupting metering operations and causing inaccurate data collection.
• Denial of Service: Malicious configurations could render the devices unusable, leading to service disruptions.
• Data Tampering: Attackers could manipulate meter readings, leading to fraudulent billing or inaccurate usage reports.
• Network Compromise: The compromised iHUB device could be used as a pivot point for further attacks within the network.

Mitigation and Patch Steps

Until a patch is released by Iskra, the following mitigation steps are recommended:

1. Network Segmentation: Isolate the iHUB and iHUB Lite devices on a separate network segment, limiting access from untrusted networks.
2. Access Control Lists (ACLs): Implement ACLs to restrict access to the web management interface to only authorized IP addresses or networks.
3. Firewall Rules: Configure firewall rules to block unauthorized access to the device’s web management port (typically 80 or 443).
4. Monitor Network Traffic: Implement network monitoring solutions to detect any unauthorized attempts to access the device’s web interface.
5. Disable Remote Access (If Possible): If remote access to the web management interface is not required, disable it entirely. Consult the device’s documentation for instructions.
6. Contact Iskra: Contact Iskra directly for information on when a patch will be available and to report your concerns.

Important: Apply the official patch from Iskra as soon as it becomes available.