CVE-2025-10880

All versions of Dingtian DT-R002 are vulnerable to an Insufficiently Protected Credentials vulnerability that could allow an attacker to extract the proprietary "Dingtian Binary" protocol password by sending an unauthenticated GET request.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://www.cisa.gov/news-events/ics-advisories/icsa-25-268-01	Mitigation US Government Resource Third Party Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:dingtian-tech:dt-r002_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:dingtian-tech:dt-r002:-:*:*:*:*:*:*:*

History

29 Sep 2025, 14:44

Type	Values Removed	Values Added
First Time		Dingtian-tech dt-r002 Firmware Dingtian-tech dt-r002 Dingtian-tech
References	~~() https://www.cisa.gov/news-events/ics-advisories/icsa-25-268-01 -~~	() https://www.cisa.gov/news-events/ics-advisories/icsa-25-268-01 - Mitigation, US Government Resource, Third Party Advisory
CPE		cpe:2.3:h:dingtian-tech:dt-r002:-:::::::* cpe:2.3:o:dingtian-tech:dt-r002_firmware:-:::::::*
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5

25 Sep 2025, 17:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-09-25 17:15

Updated : 2025-09-29 14:44

NVD link : CVE-2025-10880

Mitre link : CVE-2025-10880

CVE.ORG link : CVE-2025-10880

JSON object : View

Products Affected

dingtian-tech

dt-r002
dt-r002_firmware

CWE

CWE-522

Insufficiently Protected Credentials

{"id": "CVE-2025-10880", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "ics-cert@hq.dhs.gov", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-09-25T17:15:38.090", "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-268-01", "tags": ["Mitigation", "US Government Resource", "Third Party Advisory"], "source": "ics-cert@hq.dhs.gov"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "ics-cert@hq.dhs.gov", "description": [{"lang": "en", "value": "CWE-522"}]}], "descriptions": [{"lang": "en", "value": "All versions of Dingtian DT-R002 are vulnerable to an Insufficiently Protected Credentials vulnerability that could allow an attacker to extract the proprietary \"Dingtian Binary\" protocol password by sending an unauthenticated GET request."}], "lastModified": "2025-09-29T14:44:22.307", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:dingtian-tech:dt-r002_firmware:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B25A305A-579D-43AB-80AB-7C9093EC58DB"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:dingtian-tech:dt-r002:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "A66EBB54-A7E6-4627-9A00-AB11A5AF632B"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "ics-cert@hq.dhs.gov"}