CISA Warns Two Unauthenticated Flaws in Dingtian DT R002 Relay

A new CISA Industrial Control Systems advisory published today warns that the Dingtian DT‑R002 relay board contains two distinct Insufficiently Protected Credentials vulnerabilities that allow unauthenticated remote attackers to enumerate user identities and extract a proprietary protocol password — a combination that materially raises the risk of unauthorized access and protocol-level control in industrial environments.

Background / Overview​

The Dingtian DT‑R002 is a small relay I/O device used in industrial automation and distributed control installations worldwide. The device exposes an HTTP management interface and a proprietary “Dingtian Binary” protocol that operates over UDP. On September 25, 2025 the Cybersecurity and Infrastructure Security Agency (CISA) published advisory ICSA‑25‑268‑01 documenting two vulnerabilities, assigned CVE‑2025‑10879 and CVE‑2025‑10880, which together allow credential disclosure without authentication and protocol password extraction via unauthenticated requests. The advisory assigns a CVSS v4 base score of 8.7 to each finding and notes remote exploitability with low attack complexity.
This advisory follows earlier CISA advisories related to Dingtian devices (including the DT‑R0 Series disclosed in February 2025 and DT‑R002 advisories from 2023), but the new findings are notable because they affect all versions of DT‑R002 and permit retrieval of secrets without any prior authentication. The vulnerabilities were reported by researchers Nicolas Cano and Reid Wightman of Dragos.

---

What CISA found: technical summary​

The two issues (what they let an attacker do)​

• CVE‑2025‑10879 — Insufficiently Protected Credentials (CWE‑522): An unauthenticated actor can retrieve the current user’s username from the device without authenticating to the HTTP management interface. This disclosure of account identities is more than a nuisance: combined with other vulnerabilities or default credentials, it simplifies brute‑force and targeted credential attacks. CISA documents a CVSS v3.1 base score of 7.5 for confidentiality impact and a CVSS v4 score of 8.7.
• CVE‑2025‑10880 — Insufficiently Protected Credentials (CWE‑522): An unauthenticated GET request against the device can leak the proprietary “Dingtian Binary” protocol password — the secret used by the device for protocol‑level authentication/communication over UDP. Disclosure of this password allows an attacker to craft or impersonate protocol traffic, potentially enabling device control, command injection, or escalation scenarios that bypass higher‑level HTTP protections. This finding carries the same scoring (CVSS v3.1 7.5, CVSS v4 8.7) in CISA’s assessment.

Attack surface and vectors​

• The HTTP management service (TCP/80) is directly implicated for username disclosure.
• The Dingtian Binary protocol uses UDP ports 60000 and 60001, and CISA and the researchers recommend restricting access to those ports to reduce exposure.
• Both vulnerabilities are exploitable remotely and require no authentication or valid session state, increasing their operational risk in networked deployments where these devices are reachable from maintenance or corporate networks.

Who reported and vendor response​

The two vulnerabilities were reported to CISA by Dragos researchers Nicolas Cano and Reid Wightman. According to the advisory, Dingtian has not responded to CISA requests to coordinate mitigations, and no vendor firmware or vendor‑provided workarounds are referenced in the advisory at the time of publication. CISA therefore recommends defensive measures and network controls as the primary mitigations.

---

Cross‑checking the record and independent corroboration​

CISA’s advisory is the authoritative public disclosure for these flaws and includes the CVE assignments and scoring. Independent vulnerability aggregators and CVE tracking services corroborate the existence and severity of Dingtian DT series vulnerabilities in recent months — for example, prior Dingtian advisories and CVE entries appeared in multiple vulnerability databases and security aggregators that tracked the DT‑R0 family and associated high‑severity authentication bypass issues earlier in 2025. Those prior records underscore a continuing pattern of authentication and credential handling weaknesses in Dingtian devices and provide context supporting CISA’s high‑severity treatment of these new findings.
Internal incident desk and forum digests in the security community have also highlighted CISA’s recommendations — notably restricting HTTP and the Dingtian protocol UDP ports and isolating devices from internet access — which aligns with the mitigation guidance that CISA and the Dragos researchers provided. Where vendor coordination is missing, the pragmatic defensive posture is network restriction and enhanced detection.

---

Risk evaluation — what this means in practice​

Confidentiality and access risk​

Credential disclosure is a high‑value outcome for attackers. Revealing usernames lowers the work factor for credential stuffing, targeted brute force, and social engineering; leaking a protocol password is materially worse because it can allow protocol‑level impersonation or manipulation. With the Dingtian Binary password in hand, an attacker could:

• Forge protocol messages to manipulate I/O state or actuator commands.
• Intercept and replay legitimate protocol traffic to create unauthorized behaviour.
• Use protocol knowledge to enumerate additional device internals or pivot to other devices that trust the same protocol secret.

Those attack paths can lead to unauthorized changes, process disruptions, or safety incidents in industrial and critical manufacturing environments. CISA explicitly lists Critical Manufacturing as an affected sector.

Availability and operational impact​

While these particular CVEs are not described as direct remote denial‑of‑service flaws, credential and protocol compromise can lead to indirect availability impacts. For example, an attacker using a protocol password could manipulate outputs or force unsafe conditions, causing automated shutdowns, interlocks, or manual interventions that halt production. The risk profile increases when devices are in distributed control networks with minimal segmentation.

Likelihood and exploitation window​

CISA classifies the vulnerabilities as remotely exploitable with low attack complexity and no required user interaction, which shortens the window before opportunistic or targeted attacks might appear. As of the advisory’s publication, CISA reports no known public exploitation specifically targeting these vulnerabilities, but low‑complexity unauthenticated disclosures historically tend to be prioritized by attackers once public details circulate. The lack of a vendor patch exacerbates the urgency.

---

Immediate mitigations — prioritized actions for operators​

When vendor fixes are not available, defending industrial assets requires rapid, layered measures. The following remediation checklist is prioritized for immediate implementation:

• Inventory and isolate
• Identify every DT‑R002 device on your network. Use asset discovery tools and maintain an authoritative inventory.
• Immediately ensure none of these devices are exposed to the internet. Remove firewall rules that permit inbound TCP/80 or UDP/60000–60001 from untrusted networks.
• Block and restrict protocols
• Block or tightly restrict access to HTTP (TCP/80) for management interfaces to a trusted management VLAN or jump‑host only.
• Restrict UDP/60000 and UDP/60001 to known trusted maintenance hosts; deny all other sources.
• Network segmentation and access control
• Place DT‑R002 devices behind industrial firewalls and separate them from corporate IT networks using VLANs, ACLs, and explicit firewall rules.
• Enforce least privilege for maintenance connections (allow only specific management hosts/subnets).
• Monitoring and detection
• Deploy IDS/IPS rules and network monitoring to detect unusual GET requests to device HTTP endpoints and anomalous UDP traffic on 60000/60001.
• Monitor logs for repeated unauthenticated requests, unexpected connections, and protocol anomalies; escalate suspicious activity for incident response.
• Hardening and credential hygiene
• Where possible, rotate any locally stored passwords and ensure defaults are not used. Treat protocol passwords as sensitive secrets and rotate them after suspected exposure.
• If device administration allows disabling unused services (for example disabling web management if not required), do so.
• Secure remote access
• If remote management is required, use a hardened VPN or remote jump host architecture with multi‑factor authentication and endpoint posture checks — recognizing that VPNs are not a panacea and must be kept up to date.
• Report and coordinate
• Report any suspected compromise to CISA or your national CERT / CSIRT and follow established incident response procedures. CISA provides guidance and encourages reporting for correlation and tracking.

These actions are consistent with CISA’s recommendations and reflect standard industrial control system (ICS) defense‑in‑depth practices. They are immediate compensating controls while awaiting a vendor fix.

---

Detection, logging, and IDS signatures — practical suggestions​

Detection is as vital as prevention. System administrators and security teams should implement the following detection controls:

• Create IDS/IPS signatures that alert on unauthenticated GET payloads matching patterns tied to credential‑retrieval endpoints; monitor for repeated GETs to the webserver root or other management URIs.
• Monitor UDP flows on ports 60000 and 60001 for anomalous packet sizes, unexpected source addresses, or repeated authentication‑related requests. Create alerts on spikes in UDP traffic to these ports.
• Correlate unusual HTTP and UDP activity with process anomalies (e.g., unexpected state changes in I/O points) to detect potential active exploitation.
• Capture PCAP samples for forensic analysis if suspicious activity is found — protocol password use may appear in plaintext within the proprietary binary messages.

Industrial visibility platforms and protocol‑aware collectors (NetFlow, Zeek/Bro with custom analyzers, or vendor ICS monitoring tools) are especially useful to instrument these detections.

---

Vendor coordination and responsible disclosure — the accountability gap​

CISA’s advisory explicitly states Dingtian did not respond to CISA’s outreach to mitigate these vulnerabilities; lacking vendor engagement, affected organizations are left to implement compensations themselves. This is a recurring issue with some ICS vendors: patch cycles are slow, and communications often lack transparency. The only durable fix for this class of issue is a vendor firmware update that removes credential leaks and protects protocol secrets.
Operators should persist in contacting Dingtian support and demand:

• A firmware update timeline and CVE remediation plan.
• Clear guidance on which versions are affected and how to validate device integrity after remediation.
• Steps for secure credential rotation and recommended hardening settings.

If a vendor will not cooperate, procurement and risk teams should escalate the matter internally and consider replacement of unmanaged or unpatchable devices in safety‑critical environments.

---

Longer‑term remediation and supply‑chain risk​

These vulnerabilities highlight systemic weaknesses in many ICS product lifecycles:

• Embedded devices often embed secrets or expose sensitive management interfaces without sufficient protection.
• Patch management and secure development practices in some ICS vendors lag IT best practices; this creates persistent exposure across supply chains.
• Procurement and asset management must evaluate vendor security posture and require secure‑by‑design controls (e.g., no hardcoded or retrievable protocol passwords, secure authentication, and signed firmware).

Recommended long‑term steps for asset owners:

• Establish vendor security requirements in procurement contracts, including vulnerability disclosure policies and SLA timelines for security patches.
• Introduce device lifecycle management that includes secure provisioning, credential rotation, and regular firmware updates.
• When possible, prefer devices that support modern, authenticated, and encrypted management channels; avoid devices that require plaintext or proprietary protocol secrets that can be trivially extracted.

---

What to tell stakeholders — concise briefing points for operations and leadership​

• Two critical credential disclosure vulnerabilities (CVE‑2025‑10879 and CVE‑2025‑10880) affect all versions of the Dingtian DT‑R002 relay board and are exploitable remotely with low complexity.
• The disclosed flaws allow an attacker to retrieve a username and the Dingtian Binary protocol password without authentication — enabling protocol impersonation and significantly increasing the risk of unauthorized control.
• There is no vendor‑issued patch at publication time and Dingtian has not responded to CISA requests for coordinated mitigation; immediate defensive measures (network isolation, port restrictions, monitoring) are required.
• Prioritize discovery and isolation of DT‑R002 devices, restrict HTTP and UDP/60000–60001 access, tighten segmentation, and enable aggressive logging and IDS coverage.

---

Conclusion — urgency and the path forward​

The Dingtian DT‑R002 advisory is a timely reminder that credential hygiene and minimal exposure are foundational to ICS security. The disclosure of both account identifiers and a protocol password without authentication materially increases the risk of unauthorized device control and lateral movement inside ICS networks. Operators must treat this as a high‑priority risk: inventory affected devices, apply immediate network restrictions (block TCP/80 and UDP/60000–60001 from untrusted networks), implement continuous monitoring, and insist that Dingtian provide firmware patches and remediation guidance.
Until vendor fixes are available and verified, defense‑in‑depth controls remain the only reliable risk reduction strategy. Organizations that mix IT and OT networks should accelerate segmentation, strengthen remote access controls, and apply industrial monitoring to detect suspicious management and protocol traffic. Timely reporting of incidents and sharing telemetry with national authorities will help raise the collective awareness and accelerate detection of any active exploitation attempts.

---

Quick checklist (for distribution to operations teams)​

• Inventory all DT‑R002 units and record firmware/version metadata.
• Block external access to device HTTP (TCP/80) and Dingtian protocol UDP (60000, 60001).
• Move devices to an isolated management VLAN; enforce strict ACLs and jump‑host access.
• Enable IDS/IPS signatures for HTTP GET enumeration patterns and abnormal UDP traffic on 60000/60001.
• Rotate any known credentials where feasible and treat the Dingtian Binary password as compromised until proven otherwise.
• Contact Dingtian customer support for device‑specific guidance and log any vendor communications.
• Report suspicious activity to CISA or your national CSIRT and follow incident response procedures.

The technical details in CISA’s advisory should be treated as urgent input to operational risk assessments. Implement the prioritized mitigations now, track vendor communications closely, and assume that an exposed protocol password and enumerated user names materially increase compromise risk until proven otherwise.

---

Source: CISA Dingtian DT-R002 | CISA