PatchSiren cyber security CVE debrief
CVE-2025-53703 DuraComm Corporation CVE debrief
CVE-2025-53703 is a high-severity confidentiality issue in DuraComm Corporation’s SPM-500 DP-10iN-100-MU. According to the CISA CSAF advisory published on 2025-07-22, the affected product transmits sensitive data without encryption over a channel that could be intercepted. DuraComm recommends updating to Version 4.10A to address the issue. For operators of the affected device, this is primarily a data exposure risk rather than an integrity or availability issue, but in OT environments exposed credentials, configuration data, or operational details can still create meaningful downstream risk.
- Vendor
- DuraComm Corporation
- Product
- SPM-500 DP-10iN-100-MU
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-07-22
- Original CVE updated
- 2025-07-22
- Advisory published
- 2025-07-22
- Advisory updated
- 2025-07-22
Who should care
OT/ICS operators using DuraComm SPM-500 DP-10iN-100-MU devices, industrial control system administrators, security teams supporting deployed field equipment, and integrators responsible for patching or compensating controls on version 4.10 and earlier.
Technical summary
The advisory identifies a network-reachable confidentiality weakness: sensitive data is transmitted without encryption, allowing interception by an attacker on the communication path. The supplied CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, consistent with a remotely reachable, low-complexity disclosure issue with high confidentiality impact and no direct integrity or availability impact. The affected product is listed as DuraComm Corporation SPM-500 DP-10iN-100-MU: <=4.10, and the remediation is to upgrade to Version 4.10A.
Defensive priority
High. Because the issue is network-reachable and exposes sensitive data in transit, it should be prioritized for environments where the device carries credentials, operational settings, or other sensitive telemetry.
Recommended defensive actions
- Upgrade affected devices to Version 4.10A using DuraComm’s remediation guidance.
- If immediate patching is not possible, reduce interception risk by isolating the device network and limiting access to trusted management paths only.
- Review what sensitive data the device transmits and minimize exposure of the affected communication channel wherever feasible.
- Apply ICS defense-in-depth and recommended-practices guidance from CISA to harden surrounding network controls.
- Verify deployed versions against the affected range (version 4.10 and earlier) and track remediation status across all sites.
Evidence notes
Source evidence comes from the CISA CSAF advisory ICSA-25-203-01 for CVE-2025-53703, published 2025-07-22. The advisory states that the affected product transmits sensitive data without encryption over a channel that could be intercepted by attackers. It lists the affected product as DuraComm Corporation SPM-500 DP-10iN-100-MU: <=4.10 and recommends updating to Version 4.10A. The supplied CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. No KEV entry or ransomware campaign association is present in the supplied enrichment.
Official resources
-
CVE-2025-53703 CVE record
CVE.org
-
CVE-2025-53703 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published the advisory on 2025-07-22 with initial publication noted in the revision history. The supplied data indicates this was the initial release and does not include KEV listing information.