CVE-2025-4008

Warnung

Exploit

EPSS 39.88%
Veröffentlicht 21.05.2025 15:31:23
Zuletzt bearbeitet 27.10.2025 17:02:18
Quelle research@onekey.com
CVE-Watchlists
Login
Unerledigt
Login

The Meteobridge web interface let meteobridge administrator manage their weather station data collection and administer their meteobridge system through a web application written in CGI shell scripts and C.

This web interface exposes an endpoint that is vulnerable to command injection.

Remote unauthenticated attackers can gain arbitrary command execution with elevated privileges ( root ) on affected devices.

Betroffene Produkte Warnungen 1 Metriken 3 CWE 2 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Smartbedded ≫ Meteobridge Vm Version < 6.2

Smartbedded ≫ Meteobridge Firmware Version < 6.2

02.10.2025: CISA Known Exploited Vulnerabilities (KEV) Catalog

Smartbedded Meteobridge Command Injection Vulnerability

Schwachstelle

Smartbedded Meteobridge contains a command injection vulnerability that could allow remote unauthenticated attackers to gain arbitrary command execution with elevated privileges (root) on affected devices.

Beschreibung

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Erforderliche Maßnahmen

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	39.88%	0.972

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
research@onekey.com	8.7	0	0	CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-306 Missing Authentication for Critical Function

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

https://www.onekey.com/resource/security-advisory-remote-command-execution-on-smartbedded-meteobridge-cve-2025-4008

Third Party Advisory

Exploit

https://forum.meteohub.de/viewtopic.php?t=18687

Vendor Advisory

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-4008

US Government Resource

https://nvd.nist.gov/vuln/detail/CVE-2025-4008

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-4008

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-4008

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-4008

02.10.2025: CISA Known Exploited Vulnerabilities (KEV) Catalog