CVE-2025-48733 DuraComm Corporation CVE debrief

Who should care

OT/ICS asset owners, control system operators, network defenders, and incident responders responsible for DuraComm SPM-500 DP-10iN-100-MU deployments—especially where device uptime and availability are operationally critical.

Technical summary

The supplied CSAF record for ICSA-25-203-01 maps CVE-2025-48733 to DuraComm Corporation SPM-500 DP-10iN-100-MU versions <=4.10. The advisory description states that a function requiring authentication lacks access controls, and the CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) reflects a network-reachable, no-authentication availability impact consistent with repeated reboot/denial-of-service behavior.

Defensive priority

High

Recommended defensive actions

• Identify whether any DuraComm Corporation SPM-500 DP-10iN-100-MU installations are running firmware version 4.10 or earlier.
• Apply DuraComm’s recommended update to Version 4.10A; obtain the update through DuraComm’s contact channel if needed.
• Limit exposure of the device to trusted management networks and restrict administrative access to essential users and systems.
• Monitor affected environments for unexpected reboot events and validate recovery procedures for operational continuity.
• Follow CISA ICS recommended practices for segmentation and defensive hardening in OT/ICS environments.

Evidence notes

Primary evidence comes from the supplied CISA CSAF advisory record for ICSA-25-203-01 / CVE-2025-48733, published 2025-07-22 with initial revision history only. The record names the affected product as DuraComm Corporation SPM-500 DP-10iN-100-MU: <=4.10 and states that the product lacks access controls for a function that should require user authentication, allowing repeated reboot of the device. The mitigation field recommends updating to Version 4.10A. The supplied record also provides the CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating availability-only impact.

Official resources