cbcvebase.
CVE-2025-4008
published 2025-05-21

CVE-2025-4008: The Meteobridge web interface let meteobridge administrator manage their weather station data collection and administer their meteobridge system through a web…

PriorityP191high8.8CVSS 3.1
AVAACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2025-10-23
Exploited in the wild
EPSS
94.67%
99.8th percentile
The Meteobridge web interface let meteobridge administrator manage their weather station data collection and administer their meteobridge system through a web application written in CGI shell scripts and C. This web interface exposes an endpoint that is vulnerable to command injection. Remote unauthenticated attackers can gain arbitrary command execution with elevated privileges ( root ) on affected devices.

Affected

3 ranges
VendorProductVersion rangeFixed in
smartbeddedmeteobridge<= 6.1
smartbeddedmeteobridge_firmware< 6.26.2
smartbeddedmeteobridge_vm< 6.26.2

Detection & IOCsextracted from sources · hover to see the quote

url/public/template.cgi?templatefile=$(id)
path/public/template.cgi
path/cgi-bin/template.cgi
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Smartbedded MeteoBridge Unauthenticated Remote Code Execution (CVE-2025-4008)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cgi-bin/template.cgi|3f|"; fast_pattern; content:"templatefile|3d|"; pcre:"/^[^\x26]*?(?:[\x3b\x24\x27\x60\x7c]|\x25(?:3[bB]|2[47]|60|7[cC]))/R"; reference:url,www.onekey.com/resource/security-advisory-remote-command-execution-on-smartbedded-meteobridge-cve-2025-4008; reference:cve,2025-4008; classtype:web-application-attack; sid:2062619; rev:1; metadata:attack_target Server, created_at 2025_05_29, cve CVE_2025_4008, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2025_05_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Exploit requests target the `templatefile` CGI parameter with shell metacharacters (`;`, `$`, `'`, backtick, `|`) or their URL-encoded equivalents (`%3b`, `%24`, `%27`, `%60`, `%7c`) to inject OS commands.
  • Successful exploitation returns an HTTP 200 response body containing both `Error: template file` and `uid=` / `gid=` strings — the output of the injected `id` command.
  • Shodan/FOFA exposure: devices advertising 'meteobridge' or 'Meteobridge' banners are the target population for this vulnerability.
  • The attack is unauthenticated — no session cookie or credential is required. Any inbound GET to template.cgi with shell metacharacters in `templatefile` should be treated as an active exploitation attempt.
  • ·Two CGI paths have been observed across sources: `/public/template.cgi` (used in the Nuclei PoC) and `/cgi-bin/template.cgi` (used in the Snort/ET rule). Detection rules should cover both paths.
  • ·The vulnerability affects MeteoBridge versions up to and including 6.1; version 6.2 is stated to properly sanitize input in template.cgi.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.7HIGHCVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck8.7HIGH
cisa8.7HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.