Oct 03, 2025Ravie LakshmananVulnerability / IoT Safety
The U.S. Cybersecurity and Infrastructure Safety Company (CISA) on Thursday added a high-severity safety flaw impacting Smartbedded Meteobridge to its Recognized Exploited Vulnerabilities (KEV) catalog, citing proof of lively exploitation.
The vulnerability, CVE-2025-4008 (CVSS rating: 8.7), is a case of command injection within the Meteobridge internet interface that might end in code execution.
“Smartbedded Meteobridge incorporates a command injection vulnerability that might enable distant unauthenticated attackers to achieve arbitrary command execution with elevated privileges (root) on affected gadgets,” CISA Stated.
Based on ONEKEY, which found and reported the problem in late February 2025, the Meteobridge internet interface lets an administrator handle their climate station knowledge assortment and management the system via an internet software written in CGI shell scripts and C.
Particularly, the net interface exposes a “template.cgi” script via “/cgi-bin/template.cgi,” which is susceptible to command injection stemming from the insecure use of eval calls, permitting an attacker to produce specifically crafted requests to execute arbitrary code –
curl -i -u meteobridge: meteobridge
‘
Moreover, ONEKEY mentioned the vulnerability might be exploited by unauthenticated attackers attributable to the truth that the CGI script is hosted in a public listing with out requiring any authentication.
“Distant exploitation via a malicious webpage can also be attainable since it is a GET request with none sort of customized header or token parameter,” safety researcher Quentin Kaiser famous again in Might. “Simply ship a hyperlink to your sufferer and create img tags with the src set to ‘
There are at the moment no public stories referencing how CVE-2025-4008 is being exploited within the wild. The vulnerability was addressed in Meteobridge model 6.2, launched on Might 13, 2025.
Additionally added by CISA to the KEV catalog are 4 different flaws –
CVE-2025-21043 (CVSS rating: 8.8) – Samsung cell gadgets comprise an out-of-bounds write vulnerability in libimagecodec.quram.so that might enable distant attackers to execute arbitrary code.
CVE-2017-1000353 (CVSS rating: 9.8) – Jenkins incorporates a deserialization of untrusted knowledge vulnerability that might enable unauthenticated distant code execution, bypassing denylist-based safety mechanisms.
CVE-2015-7755 (CVSS rating: 9.8) – Juniper ScreenOS incorporates an improper authentication vulnerability that might enable unauthorized distant administrative entry to the machine.
CVE-2014-6278, aka Shellshock (CVSS rating: 8.8) – GNU Bash incorporates an OS command injection vulnerability that might enable distant attackers to execute arbitrary instructions through a crafted surroundings.
In gentle of lively exploitation, Federal Civilian Govt Department (FCEB) companies are required to use the required updates by October 23, 2025, for optimum safety.
