CVE-2025-61945
published 2025-11-04CVE-2025-61945: Radiometrics VizAir is vulnerable to any remote attacker via access to the admin panel of the VizAir system without authentication. Once inside, the attacker…
PriorityP267critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.76%
50.7th percentile
Radiometrics VizAir is vulnerable to any remote attacker via access to the admin panel of the VizAir system without authentication. Once inside, the attacker can modify critical weather parameters such as wind shear alerts, inversion depth, and CAPE values, which are essential for accurate weather forecasting and flight safety. This unauthorized access could result in the disabling of vital alerts, causing hazardous conditions for aircraft, and manipulating runway assignments, which could result in mid-air conflicts or runway incursions.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| radiometrics | vizair | < 08/2025 | 08/2025 |
| radiometrics | vizair | < 2025-08 | 2025-08 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect unauthenticated access to the Radiometrics VizAir admin panel — any request reaching the admin panel without prior authentication should be flagged as suspicious exploitation of CVE-2025-61945. ↗
- →Alert on modifications to critical weather parameters (wind shear alerts, inversion depth, CAPE values) or runway assignments originating from unauthenticated or external network sources on VizAir systems. ↗
- →Flag any VizAir admin panel or API access originating from internet-routable IP addresses, as the system should not be internet-accessible; such traffic is a strong indicator of exploitation. ↗
- ·All affected VizAir versions prior to the August 2025 update are vulnerable; Radiometrics has patched all affected systems server-side and states no user action is required, but defenders should verify their deployed version is post-08/2025. ↗
- ·No known public exploitation or proof-of-concept has been reported to CISA at time of advisory publication, but the CVSS v4 score is 10.0 (AV:N/AC:L/AT:N/PR:N/UI:N) indicating trivial remote exploitation with no prerequisites. ↗
- ·The vulnerability covers both unauthenticated admin panel access (CVE-2025-61945) and a separate exposed REST API key via a publicly accessible configuration file (CVE-2025-54863); detection strategies should address both attack surfaces. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.010.0CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-q4wg-4r43-jqjx: Radiometrics VizAir is vulnerable to any remote attacker via access to the admin panel of the VizAir system without authentication
ghsa_unreviewed·2025-11-04
CVE-2025-61945 [CRITICAL] CWE-306 GHSA-q4wg-4r43-jqjx: Radiometrics VizAir is vulnerable to any remote attacker via access to the admin panel of the VizAir system without authentication
Radiometrics VizAir is vulnerable to any remote attacker via access to the admin panel of the VizAir system without authentication. Once inside, the attacker can modify critical weather parameters such as wind shear alerts, inversion depth, and CAPE values, which are essential for accurate weather forecasting and flight safety. This unauthorized access could result in the disabling of vital alerts, causing hazardous conditions for aircraft, and manipulating runway assignments, which could result in mid-air conflicts or runway incursions.
CISA ICS
Radiometrics VizAir
cisa_ics·2025-11-04·CVSS 10.0
[CRITICAL] Radiometrics VizAir
ICS Advisory
##
Radiometrics VizAir
Release DateNovember 04, 2025
Alert CodeICSA-25-308-04
Related topics:
Industrial Control System Vulnerabilities, Industrial Control Systems
View CSAF
## 1. EXECUTIVE SUMMARY
- CVSS v4 10.0
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Radiometrics
- Equipment: VizAir
- Vulnerabilities: Missing Authentication for Critical Function, Insufficiently Protected Credentials
## 2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow attackers to manipulate critical weather parameters and runway settings, mislead air traffic control and pilots, extract sensitive meteorological data, and cause significant disruption to airport operations, leading to hazardous flight conditions.
## 3
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-11-04
Published