CVE-2025-4008
published 2025-05-21CVE-2025-4008: The Meteobridge web interface let meteobridge administrator manage their weather station data collection and administer their meteobridge system through a web…
PriorityP191high8.8CVSS 3.1
AVAACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2025-10-23
Exploited in the wild
EPSS
94.67%
99.8th percentile
The Meteobridge web interface let meteobridge administrator manage their weather station data collection and administer their meteobridge system through a web application written in CGI shell scripts and C.
This web interface exposes an endpoint that is vulnerable to command injection.
Remote unauthenticated attackers can gain arbitrary command execution with elevated privileges ( root ) on affected devices.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| smartbedded | meteobridge | <= 6.1 | — |
| smartbedded | meteobridge_firmware | < 6.2 | 6.2 |
| smartbedded | meteobridge_vm | < 6.2 | 6.2 |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Smartbedded MeteoBridge Unauthenticated Remote Code Execution (CVE-2025-4008)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cgi-bin/template.cgi|3f|"; fast_pattern; content:"templatefile|3d|"; pcre:"/^[^\x26]*?(?:[\x3b\x24\x27\x60\x7c]|\x25(?:3[bB]|2[47]|60|7[cC]))/R"; reference:url,www.onekey.com/resource/security-advisory-remote-command-execution-on-smartbedded-meteobridge-cve-2025-4008; reference:cve,2025-4008; classtype:web-application-attack; sid:2062619; rev:1; metadata:attack_target Server, created_at 2025_05_29, cve CVE_2025_4008, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2025_05_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Exploit requests target the `templatefile` CGI parameter with shell metacharacters (`;`, `$`, `'`, backtick, `|`) or their URL-encoded equivalents (`%3b`, `%24`, `%27`, `%60`, `%7c`) to inject OS commands.
- →Successful exploitation returns an HTTP 200 response body containing both `Error: template file` and `uid=` / `gid=` strings — the output of the injected `id` command.
- →Shodan/FOFA exposure: devices advertising 'meteobridge' or 'Meteobridge' banners are the target population for this vulnerability.
- →The attack is unauthenticated — no session cookie or credential is required. Any inbound GET to template.cgi with shell metacharacters in `templatefile` should be treated as an active exploitation attempt. ↗
- ·Two CGI paths have been observed across sources: `/public/template.cgi` (used in the Nuclei PoC) and `/cgi-bin/template.cgi` (used in the Snort/ET rule). Detection rules should cover both paths.
- ·The vulnerability affects MeteoBridge versions up to and including 6.1; version 6.2 is stated to properly sanitize input in template.cgi.
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.7HIGHCVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck8.7HIGH
cisa8.7HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-g7h8-28jj-qxmf: The Meteobridge web interface let meteobridge administrator manage their weather station data collection and administer their meteobridge system throu
ghsa_unreviewed·2025-05-21
CVE-2025-4008 [CRITICAL] CWE-77 GHSA-g7h8-28jj-qxmf: The Meteobridge web interface let meteobridge administrator manage their weather station data collection and administer their meteobridge system throu
The Meteobridge web interface let meteobridge administrator manage their weather station data collection and administer their meteobridge system through a web application written in CGI shell scripts and C.
This web interface exposes an endpoint that is vulnerable to command injection.
Remote unauthenticated attackers can gain arbitrary command execution with elevated privileges ( root ) on affected devices.
VulnCheck
Smartbedded Meteobridge Command Injection Vulnerability
vulncheck·2025·CVSS 8.7
CVE-2025-4008 [HIGH] CWE-306 Smartbedded Meteobridge Command Injection Vulnerability
Smartbedded Meteobridge Command Injection Vulnerability
Smartbedded Meteobridge contains a command injection vulnerability that could allow remote unauthenticated attackers to gain arbitrary command execution with elevated privileges (root) on affected devices.
Affected: Smartbedded Meteobridge
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://viz.greynoise.io/tags/meteobridge-command-injection-cve-2025-4008-rce-attempt?days=1; https://www.trendmicro.com/en_us/research/25/j/rondodox.html; https://beelzebub.ai/blog/rondo-dox-v2/; https://ww
CISA
Smartbedded Meteobridge Command Injection Vulnerability
cisa·2025-10-02·CVSS 8.7
CVE-2025-4008 [HIGH] CWE-306 Smartbedded Meteobridge Command Injection Vulnerability
Vulnerability: Smartbedded Meteobridge Command Injection Vulnerability
Affected: Smartbedded Meteobridge
Smartbedded Meteobridge contains a command injection vulnerability that could allow remote unauthenticated attackers to gain arbitrary command execution with elevated privileges (root) on affected devices.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://forum.meteohub.de/viewtopic.php?t=18687 ; https://nvd.nist.gov/vuln/detail/CVE-2025-4008
Remediation Due Date: 2025-10-23
Suricata
ET WEB_SPECIFIC_APPS Smartbedded MeteoBridge Unauthenticated Remote Code Execution (CVE-2025-4008)
suricata·2025-05-29·CVSS 8.7
CVE-2025-4008 [HIGH] ET WEB_SPECIFIC_APPS Smartbedded MeteoBridge Unauthenticated Remote Code Execution (CVE-2025-4008)
ET WEB_SPECIFIC_APPS Smartbedded MeteoBridge Unauthenticated Remote Code Execution (CVE-2025-4008)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Smartbedded MeteoBridge Unauthenticated Remote Code Execution (CVE-2025-4008)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cgi-bin/template.cgi|3f|"; fast_pattern; content:"templatefile|3d|"; pcre:"/^[^\x26]*?(?:[\x3b\x24\x27\x60\x7c]|\x25(?:3[bB]|2[47]|60|7[cC]))/R"; reference:url,www.onekey.com/resource/security-advisory-remote-command-execution-on-smartbedded-meteobridge-cve-2025-4008; reference:cve,2025-4008; classtype:web-application-attack; sid:2062619; rev:1; metadata:attack_target Server, created_at 2025_05_29, cve CVE_2025_4008, deployment Perimeter, deployment Internal, confidence
Nuclei
MeteoBridge <= 6.1 - Remote Code Execution
nuclei·CVSS 8.7
CVE-2025-4008 [HIGH] MeteoBridge <= 6.1 - Remote Code Execution
MeteoBridge <= 6.1 - Remote Code Execution
The Meteobridge web interface let meteobridge administrator manage their weather station data collection and administer their meteobridge system through a web application written in CGI shell scripts and C.This web interface exposes an endpoint that is vulnerable to command injection.Remote unauthenticated attackers can gain arbitrary command execution with elevated privileges ( root ) on affected devices.
Template:
id: CVE-2025-4008
info:
name: MeteoBridge <= 6.1 - Remote Code Execution
author: iamnoooob,pdresearch
severity: high
description: |
The Meteobridge web interface let meteobridge administrator manage their weather station data collection and administer their meteobridge system through a web application written in CGI shell scripts a
Trendmicro
RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
blogs_trendmicro·2025-10-09·CVSS 8.8
[HIGH] RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
Cyber Threats
## RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
Trend™ Research and ZDI Threat Hunters have identified a large-scale RondoDox botnet campaign exploiting over 50 vulnerabilities across more than 30 vendors, including flaws first seen in Pwn2Own contests.
By: Deep Patel, Ashish Verma, Simon Dulude, Peter Girnus Oct 09, 2025 Read time: ( words)
Save to Folio
Trend customers can be reassured that they have been protected against vulnerabilities like CVE-2023-1389 since it was disclosed at Pwn2Own.
Below is the timeline showing key events in the RondoDox vulnerability, from discovery to exploitation:
December 6, 2022: Tri Dang and Bien Pham (@bienpnn) from Qrious Secure exploit the WAN interface of TP-Link AX1800 at Pwn2Own Toronto 2022 .
Januar
Trendmicro
RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
blogs_trendmicro·2025-10-09·CVSS 8.8
[HIGH] RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
Cyber Threats
## RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
The Trend Zero Day Initiative™ (ZDI) and Trend™ Research teams have identified a large-scale RondoDox botnet campaign exploiting over 50 vulnerabilities across more than 30 vendors, including flaws first seen in Pwn2Own contests.
By: Deep Patel, Ashish Verma, Simon Dulude, Peter Girnus Oct 09, 2025 Read time: ( words)
Save to Folio
Trend customers can be reassured that they have been protected against vulnerabilities like CVE-2023-1389 since it was disclosed at Pwn2Own.
Below is the timeline showing key events in the RondoDox vulnerability, from discovery to exploitation:
December 6, 2022: Tri Dang and Bien Pham (@bienpnn) from Qrious Secure exploit the WAN interface of TP-Link AX1800 at Pwn2Ow
Trendmicro
RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
blogs_trendmicro·2025-10-09
RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
Cyber Threats
# RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
Trend™ Research and ZDI Threat Hunters have identified a large-scale RondoDox botnet campaign exploiting over 50 vulnerabilities across more than 30 vendors, including flaws first seen in Pwn2Own contests.
By: Deep Patel, Ashish Verma, Simon Dulude, Peter Girnus
2025/10/09
Read time: ( words)
Save to Folio
Key takeaways
- The campaign exposes organizations to the risks of data exfiltration, persistent network compromise, and operational disruption for organizations with exposed infrastructure.
- Organizations operating internet-facing network devices are at heightened risk. Active exploitation has been observed globally since mid-2025, with several CVEs now included in CISA’s Known Exploited Vul
Trendmicro
RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
blogs_trendmicro·2025-10-09·CVSS 8.8
[HIGH] RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
Cyber Threats
## RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
Trend™ Research and ZDI Threat Hunters have identified a large-scale RondoDox botnet campaign exploiting over 50 vulnerabilities across more than 30 vendors, including flaws first seen in Pwn2Own contests.
By: Deep Patel, Ashish Verma, Simon Dulude, Peter Girnus 2025/10/09 Read time: ( words)
Save to Folio
Trend customers can be reassured that they have been protected against vulnerabilities like CVE-2023-1389 since it was disclosed at Pwn2Own.
Below is the timeline showing key events in the RondoDox vulnerability, from discovery to exploitation:
December 6, 2022: Tri Dang and Bien Pham (@bienpnn) from Qrious Secure exploit the WAN interface of TP-Link AX1800 at Pwn2Own Toronto 2022 .
January
Trendmicro
RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
blogs_trendmicro·2025-10-09·CVSS 8.8
[HIGH] RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
Ciberamenazas
## RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
The Trend Zero Day Initiative™ (ZDI) and Trend™ Research teams have identified a large-scale RondoDox botnet campaign exploiting over 50 vulnerabilities across more than 30 vendors, including flaws first seen in Pwn2Own contests.
By: Deep Patel, Ashish Verma, Simon Dulude, Peter Girnus Oct 09, 2025 Read time: ( words)
Save to Folio
Trend customers can be reassured that they have been protected against vulnerabilities like CVE-2023-1389 since it was disclosed at Pwn2Own.
Below is the timeline showing key events in the RondoDox vulnerability, from discovery to exploitation:
December 6, 2022: Tri Dang and Bien Pham (@bienpnn) from Qrious Secure exploit the WAN interface of TP-Link AX1800 at Pwn2Ow
Bleepingcomputer
RondoDox botnet targets 56 n-day flaws in worldwide attacks
blogs_bleepingcomputer·2025-10-09·CVSS 8.8
[HIGH] RondoDox botnet targets 56 n-day flaws in worldwide attacks
## RondoDox botnet targets 56 n-day flaws in worldwide attacks
## Bill Toulas
A new large-scale botnet called RondoDox is targeting 56 vulnerabilities in more than 30 distinct devices, including flaws first disclosed during Pwn2Own hacking competitions.
The attacker focuses on a wide range of exposed devices, including DVRs, NVRs, CCTV systems, and web servers and have been active since June.
The RondoDox botnet leverages what Trend Micro researchers call an “exploit shotgun” strategy, where numerous exploits are used simultaneously to maximize the infections, even if the activity is very noisy.
Since FortiGuard Labs discovered RondoDox , the botnet appears to have expanded the list of exploited vulnerabilities, which included CVE-2024-3721 and CVE-2024-12856.
## Mass n-day exploitat
Greynoiseio
NoiseLetter October 2025
blogs_greynoiseio
NoiseLetter October 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Recorded Future
October 2025 CVE Landscape
blogs_recorded_future·CVSS 9.8
[CRITICAL] October 2025 CVE Landscape
# October 2025 CVE Landscape: 32 High-Impact Vulnerabilities Demand Immediate Attention
October 2025 saw a significant escalation in vulnerability activity, with Recorded Future's Insikt Group® identifying 32 high-impact vulnerabilities, double the 16 identified in September's CVE report. Twenty-six of these vulnerabilities scored as Very Critical.
What security teams need to know:
- Microsoft dominates: Eight of 32 vulnerabilities affect Microsoft products, including a critical WSUS deserialization flaw (CVE-2025-59287) now being actively exploited
- CL0P ransomware group exploited an Oracle E-Business Suite zero-day (CVE-2025-61882) for data theft and extortion campaigns
- Legacy vulnerabilities persist: Five of the 14 RCE-enabling vulnerabilities are over a decade old, highlighting c
Bugzilla
CVE-2025-58189 gvisor-tap-vsock: go crypto/tls ALPN negotiation error contains attacker controlled information [fedora-42]
bugzilla·2025-10-30·CVSS 5.3
CVE-2025-58189 [MEDIUM] CVE-2025-58189 gvisor-tap-vsock: go crypto/tls ALPN negotiation error contains attacker controlled information [fedora-42]
CVE-2025-58189 gvisor-tap-vsock: go crypto/tls ALPN negotiation error contains attacker controlled information [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
Will be fixed (if impacted) by rebuilding the package with a fixed go version https://pkg.go.dev/vuln/GO-2025-4008
---
This message is a reminder that Fedora Linu
2025-05-21
Published
2025-10-02
Added to CISA KEV
Exploited in the wild