Critical authentication bypass flaw reported in Iskra Smart Metering gateways
Take action: If you are using Iskra iHUB and iHUB Lite smart metering gateways, make sure that they are isolated from the internet and placed behind firewalls on trusted networks only. Since no patch is available, require VPN access for any remote management and closely monitor these devices for unauthorized access attempts.
Learn More
CISA is reporting a critical security vulnerability affecting Iskra's iHUB and iHUB Lite smart metering gateways and data concentrators.
The flaw is tracked as CVE-2025-13510 (CVSS score 9.3), is a missing authentication vulnerability for critical functions. Simply, Iskra iHUB and iHUB Lite smart metering gateway's web management interface is exposed without any form of authentication. This allows unauthenticated remote attackers to perform privileged operations.
All versions of Iskra iHUB and iHUB Lite are affected by this vulnerability. Iskra did not respond to CISA's attempts to coordinate disclosure and remediation of this issue. There is no patch at the time of reporting.
As a mitigating measure, CISA strongly recommends ensuring that all control system devices and systems are not accessible from the Internet, locating control system networks and remote devices behind firewalls and when remote access is required, using VPNs.
