The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a high-severity security flaw impacting Smartbedded Meteobridge to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.
The vulnerability, CVE-2025-4008 (CVSS score: 8.7), is a case of command injection in the Meteobridge web interface that could result in code execution.
“Smartbedded Meteobridge contains a command injection vulnerability that could allow remote unauthenticated attackers to gain arbitrary command execution with elevated privileges (root) on affected devices,” CISA Said.
Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.
Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).
➤ Activate Your Coupon Code
According to ONEKEY, which discovered and reported the issue in late February 2025, the Meteobridge web interface lets an administrator manage their weather station data collection and control the system through a web application written in CGI shell scripts and C.
Specifically, the web interface exposes a “template.cgi” script through “/cgi-bin/template.cgi,” which is vulnerable to command injection stemming from the insecure use of eval calls, allowing an attacker to supply specially crafted requests to execute arbitrary code –
curl -i -u meteobridge: meteobridge \
‘https://192.168.88.138/cgi-bin/template.cgi?$(id>/tmp/a)=whatever’
Furthermore, ONEKEY said the vulnerability can be exploited by unauthenticated attackers due to the fact that the CGI script is hosted in a public directory without requiring any authentication.
“Remote exploitation through a malicious webpage is also possible since it’s a GET request without any kind of custom header or token parameter,” security researcher Quentin Kaiser noted back in May. “Just send a link to your victim and create img tags with the src set to ‘https://subnet.a/public/template.cgi?templatefile=$(command).'”
There are currently no public reports referencing how CVE-2025-4008 is being exploited in the wild. The vulnerability was addressed in Meteobridge version 6.2, released on May 13, 2025.
Also added by CISA to the KEV catalog are four other flaws –
- CVE-2025-21043 (CVSS score: 8.8) – Samsung mobile devices contain an out-of-bounds write vulnerability in libimagecodec.quram.so that could allow remote attackers to execute arbitrary code.
- CVE-2017-1000353 (CVSS score: 9.8) – Jenkins contains a deserialization of untrusted data vulnerability that could allow unauthenticated remote code execution, bypassing denylist-based protection mechanisms.
- CVE-2015-7755 (CVSS score: 9.8) – Juniper ScreenOS contains an improper authentication vulnerability that could allow unauthorized remote administrative access to the device.
- CVE-2014-6278, aka Shellshock (CVSS score: 8.8) – GNU Bash contains an OS command injection vulnerability that could allow remote attackers to execute arbitrary commands via a crafted environment.
In light of active exploitation, Federal Civilian Executive Branch (FCEB) agencies are required to apply the necessary updates by October 23, 2025, for optimal protection.
Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.
Some parts of this article are sourced from:
thehackernews.com
Confucius Hackers Hit Pakistan With New WooperStealer and Anondoor Malware