CVE-2025-41425 DuraComm Corporation CVE debrief

Who should care

Owners and operators of DuraComm SPM-500 DP-10iN-100-MU systems, OT/ICS administrators, and security teams responsible for managing the device web interface and patching embedded or industrial equipment.

Technical summary

The supplied CSAF advisory identifies an XSS vulnerability in DuraComm Corporation SPM-500 DP-10iN-100-MU products at versions <=4.10. The provided CVSS vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H, indicating network exposure, low attack complexity, low required privileges, and high integrity/availability impact. The advisory narrative specifically notes that the flaw could let an attacker prevent legitimate users from accessing the web interface. The only stated remediation is to update to Version 4.10A through DuraComm.

Defensive priority

High. The issue is network-reachable, rated CVSS 8.1, and affects a device management web interface that may be operationally important in ICS/OT environments. Prioritize exposure review, access restriction, and vendor update deployment for any affected units.

Recommended defensive actions

• Inventory DuraComm SPM-500 DP-10iN-100-MU devices and identify systems running version 4.10 or earlier.
• Restrict access to the device web interface to trusted management networks and administrative hosts only.
• Apply DuraComm’s recommended update to Version 4.10A as soon as operationally feasible; contact DuraComm to obtain the update.
• Monitor the web interface for unexpected behavior or access disruption and follow CISA ICS recommended practices for defense in depth.

Evidence notes

The evidence base is the CISA CSAF advisory ICSA-25-203-01, published 2025-07-22T06:00:00Z, which lists the affected product, version range (<=4.10), the XSS description, and the recommended update to 4.10A. The supplied CVSS vector and score are used for severity context. No KEV entry or ransomware association is provided in the supplied corpus.

Official resources