CISA Warns All Dingtian DT-R002 Relays Expose Credentials (CVE-2025-10879/10880)

CISA has published a new Industrial Control Systems advisory highlighting two high-impact credential-exposure vulnerabilities in the Dingtian DT‑R002 relay board, warning that all firmware versions are affected and urging immediate defensive actions while noting the vendor has not engaged with mitigation efforts.

Background​

The Cybersecurity and Infrastructure Security Agency (CISA) released Advisory ICSA‑25‑268‑01 on September 25, 2025, identifying two related vulnerabilities in the China‑headquartered vendor Dingtian’s DT‑R002 relay board. The advisory assigns CVE‑2025‑10879 and CVE‑2025‑10880 to the issues and calculates a CVSS v4 base score of 8.7, describing the problems as Insufficiently Protected Credentials with remote exploitability and low attack complexity. The advisory explicitly states that all versions of the DT‑R002 device are affected.
This advisory follows a pattern of repeated security notices about Dingtian devices dating back to 2022 and continuing through 2023 and 2025, where multiple authentication and bypass issues were previously documented. Those prior advisories and community writeups show Dingtian devices have been a recurring source of ICS/OT risk, making the new findings part of an ongoing operational-security problem for users of inexpensive relay‑board hardware in industrial environments.

---

Executive summary of the technical findings​

• Affected product: Dingtian DT‑R002 relay board — all versions reported by CISA.
• Vulnerability types: Insufficiently protected credentials that allow unauthenticated retrieval of the current user’s username and extraction of the device’s proprietary “Dingtian Binary” protocol password via unauthenticated GET requests.
• Assigned identifiers: CVE‑2025‑10879 and CVE‑2025‑10880.
• Severity & exploitability: CVSS v4 = 8.7; remotely exploitable with low attack complexity. CISA flags the advisory as actionable for defenders.
• Vendor response: Dingtian has not cooperated with CISA for remediation at time of publication; CISA recommends defensive mitigations while awaiting vendor action.

---

Why these vulnerabilities matter for ICS and critical manufacturing​

Relay boards such as the DT‑R002 are small, inexpensive components that are often embedded into larger control systems for local I/O, switching, or as part of remote telemetry setups. In critical manufacturing and similar operational environments these boards can:

• Directly control actuators, relays, and power circuits, making them a safety‑relevant part of the control chain.
• Serve as entry points into OT networks when they are connected to Ethernet/Wi‑Fi interfaces or bridge protocols like Modbus or proprietary binary protocols.
• Be widely deployed across many small installations where formal patching and asset‑management practices are weak or non‑existent.

Because the Dingtian DT‑R002 flaws disclose credentials and protocol secrets without authentication, a remote attacker who can reach the device (or who can access a device‑facing service via lateral movement) can gain meaningful control or leverage that access to escalate into adjacent systems. The short‑term impact ranges from unauthorized device operation to full compromise of local control logic; the long‑term impact includes persistent footholds, lateral movement through OT/IT bridges, and sabotage or safety incidents.

---

Technical analysis — what the advisories reveal​

Attack surface and mechanics​

CISA’s technical breakdown identifies two credential‑related weaknesses:

• An unauthenticated information‑disclosure endpoint that reveals the current user’s username (CVE‑2025‑10879).
• An unauthenticated path that returns the password used by the device’s proprietary “Dingtian Binary” protocol (CVE‑2025‑10880), retrievable via a crafted GET request.

Both issues are network‑facing and do not require prior authentication, which means an attacker only needs network reachability to exploit them. The CVSS vector data published in the advisory confirms network attack vector, no required privileges, and substantial confidentiality impact.

Scope: “All versions” is especially concerning​

CISA explicitly lists DT‑R002: All versions as affected. That claim narrows defensive options—if accurate, device owners cannot rely on a non‑vulnerable firmware version and must instead depend on network‑level mitigations or vendor‑issued firmware updates. Historically, Dingtian devices have had a series of authentication and replay vulnerabilities reported publicly, and past advisories show vendors sometimes fail to respond promptly, meaning network defenses remain the practical control. Independent vulnerability trackers and national CERT summaries have documented prior Dingtian issues, reinforcing the seriousness of a claim that every DT‑R002 unit is affected.

Researcher attribution and transparency​

CISA credits Nicolas Cano and Reid Wightman of Dragos for reporting these vulnerabilities—both are known ICS vulnerability analysts—while noting Dingtian did not cooperate with mitigation requests. The inclusion of reputable ICS researchers in the discovery increases confidence in the technical accuracy of the findings, though vendor engagement remains the missing piece for remediation.

---

Practical mitigations: immediate actions for defenders​

The advisory includes recommended mitigations; the following list expands those into a prioritized, operational checklist defenders can apply now.

• Network isolation and segmentation (top priority):
• Ensure DT‑R002 devices are not reachable from the public internet and are placed on isolated OT VLANs.
• Use strict ACLs and firewall rules to limit inbound access to the device management ports. CISA specifically calls out HTTP (TCP/80) and the Dingtian protocol UDP/60000 and UDP/60001 as services to restrict.
• Block/monitor the vulnerable endpoints:
• Implement IDS/IPS signatures or filtering rules to detect or drop unauthenticated GETs that probe for device configuration endpoints. Log all queries to device web interfaces and alert on anomalous patterns.
• Use jump hosts and hardened remote access:
• Replace direct remote access with a hardened jump server or bastion host that enforces multi‑factor authentication, strict logging, and limited session timeouts. If VPNs are used, keep them updated and limit which clients may connect. CISA recognizes VPNs as better than nothing but warns they have their own vulnerabilities.
• Enforce least privilege and operational separation:
• Remove management functions from general OT user accounts; where possible, require authenticated, auditable channels for control and configuration changes.
• Inventory & asset validation:
• Identify every DT‑R002 (and sibling models) across the environment and confirm firmware versions.
• If devices cannot be patched, create compensating controls such as physical network segmentation or temporary device removal from production until mitigations are in place.
• Incident readiness & logging:
• Ensure SIEM and OT logging capture all management requests to relay boards, record all successful and failed access attempts, and have an IR playbook ready to isolate and analyze suspect devices.
• Vendor engagement & replacement plan:
• Persist in contacting Dingtian support; document all communications. Where vendor remediation is absent or slow, plan phased replacement with devices from vendors that provide security advisories, firmware signing, and responsible disclosure programs.

CISA’s advisory lists these defensive measures and emphasizes the need to minimize exposure and use defense‑in‑depth strategies for ICS assets.

---

Detection guidance — what to look for now​

• Unusual HTTP GET requests to DT‑R002 devices or any unauthenticated retrieval attempts to endpoints that look like configuration or binary‑protocol dumps.
• UDP traffic toward ports 60000 and 60001 originating from unfamiliar hosts or external networks.
• Unexpected login attempts or configuration changes on local management consoles, especially if succeeded without prior authentication.
• Traffic patterns consistent with credential enumeration or automated probing (high request rates, repeated distinct URIs).

Implement these indicators of compromise (IOCs) in network monitoring tools, and treat any evidence of probing as a high‑priority incident until proven benign. CISA’s advisory explicitly cites HTTP and the Dingtian protocol ports as high‑risk surfaces.

---

Broader implications and sector risk​

1) Supply‑chain & vendor maturity concerns​

This advisory underscores a recurring problem in ICS/OT supply chains: inexpensive hardware vendors frequently ship devices with inadequate authentication and protocol protection, then fail to maintain a responsive patch lifecycle. CISA’s note that Dingtian did not respond to mitigation efforts is a red flag for procurement teams that rely on vendor cooperation for security. Independent national CERTs and vulnerability trackers have repeatedly documented Dingtian issues in multiple advisories across 2023–2025.

2) Small and mid‑sized industrial operators are especially exposed​

Many small manufacturers or OEM integrators use low‑cost relay boards for machine control or telematics. These organizations often lack mature OT‑security programs, making them likely to leave vulnerable devices accessible and unmonitored. That increases the probability of opportunistic compromise, ransomware pivots, or persistent intrusion—particularly in value chains where one compromised supplier can affect many downstream operators.

3) Attack scenarios​

• Credential harvest → remote control: An attacker extracts protocol passwords and uses them to send control messages to relays, causing equipment shutdowns or dangerous state changes.
• Lateral pivoting: Exposed DT‑R002 devices provide an attacker a foothold in OT network segments that can be used to move into HMIs, historians, or engineering workstations.
• Supply‑chain sabotage: An attacker embeds into widely deployed modules and waits for opportune conditions to trigger widespread disruption.

Historical public exploit code against other DT‑R002 vulnerabilities (e.g., earlier capture‑replay and authentication bypass issues) shows these devices have attracted attention and research, increasing the risk that proof‑of‑concepts will be reused or adapted for the new credential exposures.

---

Strengths and limitations of CISA’s advisory​

Strengths​

• CISA provides concise, actionable technical detail (CVE identifiers, CVSS ratings, specific ports and protocols) that defenders can operationalize immediately. The advisory names the exact device, threat vectors, and offers a prioritized set of mitigations aligned with established defense‑in‑depth guidance. This makes the bulletin usable by SOC and ICS teams for immediate risk reduction.
• Attribution to well‑known ICS researchers lends credibility to the technical content and reduces the likelihood of false positives in detection rules derived from the advisory.

Limitations and unanswered questions​

• Vendor non‑cooperation: With Dingtian unresponsive, defenders have no vendor‑backed firmware fix to apply; that forces organizations into long‑term compensating controls, which can be operationally expensive and brittle. This lack of remediation also prevents defenders from validating whether the vulnerabilities affect derivative or OEM‑branded variants.
• “All versions” claim: While CISA’s claim that all versions are affected simplifies defenders’ decision (treat every unit as vulnerable), it raises questions about whether a fix is feasible via configuration or if full hardware replacement is necessary. Until Dingtian publishes a firmware update or more granular technical notes, operators must assume worst‑case exposure.
• Public exploit availability: CISA states no known public exploitation specific to these new CVEs had been reported at release time, but earlier DT‑R002 vulnerabilities have had public proof‑of‑concepts, meaning the attack knowledge base for this product line exists and could accelerate exploitation. Defenders must not rely on the absence of observed exploitation as safety.

---

Recommended short‑, medium‑, and long‑term roadmap for affected organizations​

Short term (hours to days)​

• Immediately identify and isolate all DT‑R002 devices from untrusted networks.
• Block TCP/80, UDP/60000, and UDP/60001 at network boundaries where those devices live unless explicitly required for operational use.
• Implement monitoring rules for suspicious GET requests and log all activity to a central SIEM.

Medium term (weeks)​

• Replace external remote access with jump hosts and limit VPN endpoints to a small, managed set of clients.
• Conduct a targeted inventory and risk assessment to identify other cheap embedded devices with similar vendor‑oriented risks.
• Engage procurement and engineering to identify vendor alternatives with secure development and disclosure practices.

Long term (months to quarters)​

• Formalize vendor security requirements into procurement contracts (secure update mechanisms, signed firmware, vulnerability disclosure policy).
• Harden OT network architectures to eliminate direct device internet exposure and enforce micro‑segmentation for critical assets.
• Run red‑team exercises that specifically test small embedded devices and common vendor default configurations.

---

Final assessment and call to action​

The CISA advisory released on September 25, 2025, is a high‑value alert: it names concrete CVEs and attack vectors, quantifies severity, and offers immediate mitigations. The real operational problem, however, is not the advisory itself but the persistent lack of secure defaults and vendor responsiveness for low‑cost ICS devices—a recurring theme in Dingtian’s public security record. Defenders must treat every DT‑R002 deployment as compromised‑capable until proven otherwise, implement strict network isolation and monitoring, and accelerate procurement changes that favor vendors with demonstrable secure‑product lifecycles.
No single advisory fixes the systemic issue of insecure ICS components. Organizations that operate, integrate, or manage these devices should act immediately on the practical steps above, document their mitigation decisions, and pressure suppliers to provide firmware fixes, signed updates, and transparent vulnerability‑response programs. The combination of responsible disclosure by researchers and decisive operational controls by asset owners is the only sustainable path to reduce this category of risk across critical manufacturing and other ICS‑dependent sectors.

---

Conclusion: treat the DT‑R002 advisory as urgent operational intelligence—apply the network‑level mitigations now, inventory and isolate affected devices, and plan for vendor‑agnostic remediation options while demanding better product security from every ICS hardware supplier.

---

Source: CISA CISA Releases One Industrial Control Systems Advisory | CISA