The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical advisory warning of a high-severity authentication flaw in Iskra’s iHUB and iHUB Lite intelligent metering gateways.
Released on December 2, 2025, under alert code ICSA-25-336-02, the vulnerability enables remote attackers to reconfigure devices, update firmware, and tamper with connected systems without credentials.
Assigned CVE-2025-13510, it stems from a missing authentication mechanism on the web management interface, classified as CWE-306.
Deployed worldwide in the energy sector, these devices from Slovenian vendor Iskra pose risks to industrial control systems (ICS). Read the complete advisory and CSAF.
Vulnerability Technical Breakdown
Iskra iHUB and iHUB Lite serve as data concentrators in smart metering setups, aggregating and relaying utility data. All versions remain vulnerable, as confirmed in CISA’s analysis.
The core issue exposes the web interface without login checks, granting unauthenticated access to sensitive endpoints.
Attackers can alter configurations, push malicious firmware, or disrupt metering operations remotely over the network.
This flaw earns top-tier severity scores due to its network accessibility and low complexity:
| CVSS Version | Base Score | Vector String | Key Metrics |
|---|---|---|---|
| v3.1 | 9.1 (Critical) | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N | Network attack (AV:N), no privileges needed (PR:N), high confidentiality/integrity impact |
| v4.0 | 9.3 (Critical) | AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N | Adds attack timing (AT:N), emphasizes vulnerable system impacts (VC:H/VI:H) |
Security researcher Souvik Kandar disclosed the issue to CISA. No patches exist yet, as Iskra failed to coordinate.
The advisory highlights the potential for exploitation in energy infrastructure, where gateways often bridge operational technology (OT) to IT networks.
Recommended Mitigations and Risks
Successful attacks could cascade failures in power distribution or billing systems, enabling sabotage without detection.
CISA stresses immediate defensive steps, prioritizing network isolation. Organizations should block internet exposure for iHUB devices, segment ICS networks behind firewalls, and avoid direct remote access.
For essential connectivity, deploy updated VPNs, but assess device-side risks first.
Broader guidance includes CISA’s ICS recommended practices, defense-in-depth strategies (PDF), and proactive ICS cybersecurity.
Conduct impact analyses before changes. Report suspicious activity to CISA. No public exploits target this flaw yet, but its simplicity demands urgency.
 has issued a critical advisory warning of a high-severity authentication flaw){kind=link}