CVE-2025-4008

HIGH
2025-05-21 [email protected]
8.7
CVSS 4.0
Share

CVSS Vector

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Analysis Generated
Mar 28, 2026 - 18:43 vuln.today
PoC Detected
Oct 27, 2025 - 17:02 vuln.today
Public exploit code
Added to CISA KEV
Oct 27, 2025 - 17:02 cisa
CISA KEV
CVE Published
May 21, 2025 - 16:15 nvd
HIGH 8.7

Tags

Command Injection Meteobridge Vm Meteobridge Firmware

Description

The Meteobridge web interface let meteobridge administrator manage their weather station data collection and administer their meteobridge system through a web application written in CGI shell scripts and C. This web interface exposes an endpoint that is vulnerable to command injection. Remote unauthenticated attackers can gain arbitrary command execution with elevated privileges ( root ) on affected devices.

Analysis

Meteobridge weather station web interface contains a command injection vulnerability allowing unauthenticated remote attackers to execute arbitrary commands through crafted requests to CGI endpoints.

Technical Context

The CWE-77 command injection in CGI shell scripts passes user input directly to shell commands without sanitization, enabling arbitrary command execution.

Affected Products

['Meteobridge (affected versions)']

Remediation

Apply firmware updates. Never expose IoT management interfaces to the internet. Isolate weather station equipment on separate network segments.

Priority Score

159
Low Medium High Critical
KEV: +50
EPSS: +45.9
CVSS: +44
POC: +20

Share

CVE-2025-4008 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy