The U.S. Cybersecurity and Infrastructure Safety Company (CISA) on Thursday added a high-severity security flaw impacting Smartbedded Meteobridge to its Recognized Exploited Vulnerabilities (KEV) catalog, citing proof of lively exploitation.
The vulnerability, CVE-2025-4008 (CVSS rating: 8.7), is a case of command injection within the Meteobridge net interface that might end in code execution.
“Smartbedded Meteobridge comprises a command injection vulnerability that might permit distant unauthenticated attackers to realize arbitrary command execution with elevated privileges (root) on affected gadgets,” CISA Mentioned.
Based on ONEKEY, which found and reported the problem in late February 2025, the Meteobridge net interface lets an administrator handle their climate station knowledge assortment and management the system by way of an internet software written in CGI shell scripts and C.
Particularly, the online interface exposes a “template.cgi” script by way of “/cgi-bin/template.cgi,” which is weak to command injection stemming from the insecure use of eval calls, permitting an attacker to produce specifically crafted requests to execute arbitrary code –
curl -i -u meteobridge: meteobridge
'https://192.168.88.138/cgi-bin/template.cgi?$(id>/tmp/a)=no matter'Moreover, ONEKEY stated the vulnerability may be exploited by unauthenticated attackers resulting from the truth that the CGI script is hosted in a public listing with out requiring any authentication.
“Distant exploitation by way of a malicious webpage can also be doable since it is a GET request with none sort of customized header or token parameter,” security researcher Quentin Kaiser famous again in Could. “Simply ship a hyperlink to your sufferer and create img tags with the src set to ‘https://subnet.a/public/template.cgi?templatefile=$(command).'”
There are presently no public reviews referencing how CVE-2025-4008 is being exploited within the wild. The vulnerability was addressed in Meteobridge model 6.2, launched on Could 13, 2025.
Additionally added by CISA to the KEV catalog are 4 different flaws –
- CVE-2025-21043 (CVSS rating: 8.8) – Samsung cellular gadgets comprise an out-of-bounds write vulnerability in libimagecodec.quram.so that might permit distant attackers to execute arbitrary code.
- CVE-2017-1000353 (CVSS rating: 9.8) – Jenkins comprises a deserialization of untrusted knowledge vulnerability that might permit unauthenticated distant code execution, bypassing denylist-based safety mechanisms.
- CVE-2015-7755 (CVSS rating: 9.8) – Juniper ScreenOS comprises an improper authentication vulnerability that might permit unauthorized distant administrative entry to the machine.
- CVE-2014-6278, aka Shellshock (CVSS rating: 8.8) – GNU Bash comprises an OS command injection vulnerability that might permit distant attackers to execute arbitrary instructions through a crafted setting.
In gentle of lively exploitation, Federal Civilian Govt Department (FCEB) companies are required to use the required updates by October 23, 2025, for optimum safety.
