The U.S. Cybersecurity and Infrastructure Safety Company (CISA) on Thursday added a high-severity safety flaw impacting Smartbedded Meteobridge to its Recognized Exploited Vulnerabilities (Convey) catalog, citing proof of energetic exploitation.
The vulnerability, CVE-2025-4008 (CVSS rating: 8.7), is a case of command injection within the Meteobridge internet interface that might end in code execution.
“Smartbedded Meteobridge comprises a command injection vulnerability that might enable distant unauthenticated attackers to realize arbitrary command execution with elevated privileges (root) on affected units,” CISA Mentioned.
In response to ONEKEY, which found and reported the difficulty in late February 2025, the Meteobridge internet interface lets an administrator handle their climate station information assortment and management the system via an online utility written in CGI shell scripts and C.
Particularly, the net interface exposes a “template.cgi” script via “/cgi-bin/template.cgi,” which is susceptible to command injection stemming from the insecure use of eval calls, permitting an attacker to produce specifically crafted requests to execute arbitrary code –
curl -i -u meteobridge: meteobridge
'https://192.168.88.138/cgi-bin/template.cgi?$(id>/tmp/a)=no matter'Moreover, ONEKEY mentioned the vulnerability could be exploited by unauthenticated attackers attributable to the truth that the CGI script is hosted in a public listing with out requiring any authentication.
“Distant exploitation via a malicious webpage can be doable since it is a GET request with none form of customized header or token parameter,” safety researcher Quentin Kaiser famous again in Might. “Simply ship a hyperlink to your sufferer and create img tags with the src set to ‘https://subnet.a/public/template.cgi?templatefile=$(command).'”
There are at present no public stories referencing how CVE-2025-4008 is being exploited within the wild. The vulnerability was addressed in Meteobridge model 6.2, launched on Might 13, 2025.
Additionally added by CISA to the KEV catalog are 4 different flaws –
- CVE-2025-21043 (CVSS rating: 8.8) – Samsung cell units comprise an out-of-bounds write vulnerability in libimagecodec.quram.so that might enable distant attackers to execute arbitrary code.
- CVE-2017-1000353 (CVSS rating: 9.8) – Jenkins comprises a deserialization of untrusted information vulnerability that might enable unauthenticated distant code execution, bypassing denylist-based safety mechanisms.
- CVE-2015-7755 (CVSS rating: 9.8) – Juniper ScreenOS comprises an improper authentication vulnerability that might enable unauthorized distant administrative entry to the gadget.
- CVE-2014-6278aka Shellshock (CVSS rating: 8.8) – GNU Bash comprises an OS command injection vulnerability that might enable distant attackers to execute arbitrary instructions through a crafted atmosphere.
In gentle of energetic exploitation, Federal Civilian Govt Department (FCEB) businesses are required to use the required updates by October 23, 2025, for optimum safety.
