CVE-2025-62193

CRITICAL
2026-01-15 9119a7d8-5eab-497f-8521-727c672e3725
9.8
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Mar 12, 2026 - 21:54 vuln.today
CVE Published
Jan 15, 2026 - 17:16 nvd
CRITICAL 9.8

Tags

RCE Command Injection

Description

Sites running NOAA PMEL Live Access Server (LAS) are vulnerable to remote code execution via specially crafted requests that include PyFerret expressions. By leveraging a SPAWN command, a remote, unauthenticated attacker can execute arbitrary OS commands. Fixed in a version of 'gov.noaa.pmel.tmap.las.filter.RequestInputFilter.java' from 2025-09-24.

Analysis

NOAA PMEL Live Access Server (LAS) has unauthenticated RCE through PyFerret SPAWN commands embedded in requests. Scientific data servers running LAS are vulnerable to complete compromise.

Technical Context

The server processes PyFerret expressions from user requests without filtering the SPAWN command (CWE-78), which executes arbitrary OS commands. Fixed in a specific version of RequestInputFilter.java from 2025-09-24.

Affected Products

NOAA PMEL Live Access Server (before 2025-09-24 fix)

Remediation

Apply the RequestInputFilter.java fix. Restrict LAS access to trusted networks.

Priority Score

49
Low Medium High Critical
KEV: 0
EPSS: +0.3
CVSS: +49
POC: 0

Share

CVE-2025-62193 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy