The US cybersecurity company CISA on Thursday warned {that a} Meteobridge vulnerability patched in Might has been exploited in assaults and added the flaw to its Recognized Exploited Vulnerabilities (KEV) catalog.
Meteobridge is a tool that permits directors to attach their climate stations to public climate networks. Station information assortment and system administration performance is offered by way of the Meteobridge internet interface.
Whereas Meteobridge shouldn’t be uncovered to the web, there are roughly 100 units which might be accessible from the general public internet, Shodan historic information reveals. This misconfiguration exposes susceptible units to potential assaults.
Tracked as CVE-2025-4008 (CVSS rating of 8.7), the Meteobridge bug now flagged as exploited was recognized in an internet interface endpoint (a CGI shell script) that’s liable to command injection.
The difficulty exists as a result of user-controlled enter is parsed and utilized in an eval name with out sanitization. Moreover, as a result of the susceptible CGI script is out there within the public folder, it’s not protected by authentication, permitting unauthenticated attackers to take advantage of the bug by way of a curl command.
“Distant exploitation by way of malicious webpage can be doable because it’s a GET request with none type of customized header or token parameter,” Onekey explains.
On Might 13, Smartbedded introduced that MeteoBridge model 6.2 was launched with fixes for “an utility safety threat”, with out mentioning the CVE or the vulnerability’s exploitation.
Now, CISA warns that risk actors have exploited the flaw in assaults, urging federal companies to deal with it inside the subsequent three weeks, as mandated by the Binding Operational Directive (BOD) 22-01.Commercial. Scroll to proceed studying.
Whereas Onekey revealed technical particulars on CVE-2025-4008 and a proof-of-concept (PoC) exploit in Might, there have been no experiences of the bug’s in-the-wild exploitation previous to CISA including it to KEV.
On Thursday, CISA additionally expanded the KEV record with a latest Samsung zero-day (CVE-2025-21043) and with three outdated safety defects in Jenkins (CVE-2017-1000353), Juniper ScreenOS (CVE-2015-7755), and GNU Bash OS (CVE-2014-6278, aka Shellshock), which have been flagged as exploited earlier than.
All organizations are suggested to deal with these 5 vulnerabilities, and all the issues described by CISA’s KEV record.
Associated: Oracle Says Recognized Vulnerabilities Probably Exploited in Latest Extortion Assaults
Associated: Organizations Warned of Exploited Sudo Vulnerability
Associated: WireTap Assault Breaks Intel SGX Safety
Associated: Chrome 141 and Firefox 143 Patches Repair Excessive-Severity Vulnerabilities
