SB2025072317 - Multiple vulnerabilities in DuraComm SPM-500 DP-10iN-100-MU

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Cross-site scripting (CVE-ID: CVE-2025-41425)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote user can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

2) Missing Authentication for Critical Function (CVE-ID: CVE-2025-48733)

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to missing authentication for critical function. A remote attacker can perform a denial of service (DoS) attack.

3) Cleartext transmission of sensitive information (CVE-ID: CVE-2025-53703)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to software uses insecure communication channel to transmit sensitive information. A remote attacker can gain access to sensitive data.

Remediation

Install update from vendor's website.

References

• https://duracomm.com/contact-us/
• https://www.cisa.gov/news-events/ics-advisories/icsa-25-203-01