CVE-2025-62193
CRITICALSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Sites running NOAA PMEL Live Access Server (LAS) are vulnerable to remote code execution via specially crafted requests that include PyFerret expressions. By leveraging a SPAWN command, a remote, unauthenticated attacker can execute arbitrary OS commands. Fixed in a version of 'gov.noaa.pmel.tmap.las.filter.RequestInputFilter.java' from 2025-09-24.
AnalysisAI
NOAA PMEL Live Access Server (LAS) has unauthenticated RCE through PyFerret SPAWN commands embedded in requests. Scientific data servers running LAS are vulnerable to complete compromise.
Technical ContextAI
The server processes PyFerret expressions from user requests without filtering the SPAWN command (CWE-78), which executes arbitrary OS commands. Fixed in a specific version of RequestInputFilter.java from 2025-09-24.
Affected ProductsAI
NOAA PMEL Live Access Server (before 2025-09-24 fix)
RemediationAI
Apply the RequestInputFilter.java fix. Restrict LAS access to trusted networks.
Same weakness CWE-78 – OS Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today