CVE-2025-54863
published 2025-11-04CVE-2025-54863: Radiometrics VizAir is vulnerable to exposure of the system's REST API key through a publicly accessible configuration file. This allows attackers to remotely…
PriorityP355critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.58%
43.5th percentile
Radiometrics VizAir is vulnerable to exposure of the system's REST API key through a publicly accessible configuration file. This allows attackers to remotely alter weather data and configurations, automate attacks against multiple instances, and extract sensitive meteorological data, which could potentially compromise airport operations. Additionally, attackers could flood the system with false alerts, leading to a denial-of-service condition and significant disruption to airport operations. Unauthorized remote control over aviation weather monitoring and data manipulation could result in incorrect flight planning and hazardous takeoff and landing conditions.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| radiometrics | vizair | < 08/2025 | 08/2025 |
| radiometrics | vizair | < 2025-08 | 2025-08 |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.010.0CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-p4q9-wr86-5gjc: Radiometrics VizAir is vulnerable to exposure of the system's REST API key through a publicly accessible configuration file
ghsa_unreviewed·2025-11-04
CVE-2025-54863 [CRITICAL] CWE-522 GHSA-p4q9-wr86-5gjc: Radiometrics VizAir is vulnerable to exposure of the system's REST API key through a publicly accessible configuration file
Radiometrics VizAir is vulnerable to exposure of the system's REST API key through a publicly accessible configuration file. This allows attackers to remotely alter weather data and configurations, automate attacks against multiple instances, and extract sensitive meteorological data, which could potentially compromise airport operations. Additionally, attackers could flood the system with false alerts, leading to a denial-of-service condition and significant disruption to airport operations. Unauthorized remote control over aviation weather monitoring and data manipulation could result in incorrect flight planning and hazardous takeoff and landing conditions.
CISA ICS
Radiometrics VizAir
cisa_ics·2025-11-04·CVSS 10.0
[CRITICAL] Radiometrics VizAir
ICS Advisory
##
Radiometrics VizAir
Release DateNovember 04, 2025
Alert CodeICSA-25-308-04
Related topics:
Industrial Control System Vulnerabilities, Industrial Control Systems
View CSAF
## 1. EXECUTIVE SUMMARY
- CVSS v4 10.0
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Radiometrics
- Equipment: VizAir
- Vulnerabilities: Missing Authentication for Critical Function, Insufficiently Protected Credentials
## 2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow attackers to manipulate critical weather parameters and runway settings, mislead air traffic control and pilots, extract sensitive meteorological data, and cause significant disruption to airport operations, leading to hazardous flight conditions.
## 3
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-11-04
Published