The US cybersecurity company CISA on Thursday warned {that a} Meteobridge vulnerability patched in Might has been exploited in assaults and added the flaw to its Identified Exploited Vulnerabilities (KEV) catalog.
Meteobridge is a tool that enables directors to attach their climate stations to public climate networks. Station information assortment and system administration performance is offered via the Meteobridge net interface.
Whereas Meteobridge shouldn’t be uncovered to the web, there are roughly 100 units which are accessible from the general public net, Shodan historic information reveals. This misconfiguration exposes weak units to potential assaults.
Tracked as CVE-2025-4008 (CVSS rating of 8.7), the Meteobridge bug now flagged as exploited was recognized in an internet interface endpoint (a CGI shell script) that’s vulnerable to command injection.
The problem exists as a result of user-controlled enter is parsed and utilized in an eval name with out sanitization. Moreover, as a result of the weak CGI script is obtainable within the public folder, it’s not protected by authentication, permitting unauthenticated attackers to use the bug through a curl command.
“Distant exploitation via malicious webpage can be doable because it’s a GET request with none type of customized header or token parameter,” Onekey explains.
On Might 13, Smartbedded introduced that MeteoBridge model 6.2 was launched with fixes for “an utility security danger”, with out mentioning the CVE or the vulnerability’s exploitation.
Now, CISA warns that risk actors have exploited the flaw in assaults, urging federal companies to deal with it inside the subsequent three weeks, as mandated by the Binding Operational Directive (BOD) 22-01.
Whereas Onekey printed technical particulars on CVE-2025-4008 and a proof-of-concept (PoC) exploit in Might, there have been no experiences of the bug’s in-the-wild exploitation previous to CISA including it to KEV.
On Thursday, CISA additionally expanded the KEV record with a latest Samsung zero-day (CVE-2025-21043) and with three previous security defects in Jenkins (CVE-2017-1000353), Juniper ScreenOS (CVE-2015-7755), and GNU Bash OS (CVE-2014-6278, aka Shellshock), which have been flagged as exploited earlier than.
All organizations are suggested to deal with these 5 vulnerabilities, and all the issues described by CISA’s KEV record.
