CVE-2025-61956
published 2025-11-04CVE-2025-61956: Radiometrics VizAir is vulnerable to a lack of authentication mechanisms for critical functions, such as admin access and API requests. Attackers can modify…
PriorityP264critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.72%
49.2th percentile
Radiometrics VizAir is vulnerable to a lack of authentication mechanisms for critical functions, such as admin access and API requests. Attackers can modify configurations without authentication, potentially manipulating active runway settings and misleading air traffic control (ATC) and pilots. Additionally, manipulated meteorological data could mislead forecasters and ATC, causing inaccurate flight planning.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| radiometrics | vizair | < 08/2025 | 08/2025 |
| radiometrics | vizair | < 2025-08 | 2025-08 |
Detection & IOCsextracted from sources · hover to see the quote
- →Radiometrics VizAir admin panel is accessible without authentication — detect unauthenticated HTTP requests to the admin panel endpoint ↗
- →REST API key is exposed in a publicly accessible configuration file on VizAir systems — monitor for unauthenticated GET requests to configuration file paths on VizAir web servers ↗
- ·All affected VizAir versions prior to 08/2025 are vulnerable; Radiometrics has patched all affected systems — no user action required per vendor, but network isolation is strongly recommended ↗
- ·No known public exploitation has been reported at time of advisory publication ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.010.0CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
Radiometrics VizAir
cisa_ics·2025-11-04·CVSS 10.0
[CRITICAL] Radiometrics VizAir
ICS Advisory
##
Radiometrics VizAir
Release DateNovember 04, 2025
Alert CodeICSA-25-308-04
Related topics:
Industrial Control System Vulnerabilities, Industrial Control Systems
View CSAF
## 1. EXECUTIVE SUMMARY
- CVSS v4 10.0
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Radiometrics
- Equipment: VizAir
- Vulnerabilities: Missing Authentication for Critical Function, Insufficiently Protected Credentials
## 2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow attackers to manipulate critical weather parameters and runway settings, mislead air traffic control and pilots, extract sensitive meteorological data, and cause significant disruption to airport operations, leading to hazardous flight conditions.
## 3
GHSA
GHSA-4p8r-c649-4cgv: Radiometrics VizAir is vulnerable to a lack of authentication mechanisms for critical functions, such as admin access and API requests
ghsa_unreviewed·2025-11-04
CVE-2025-61956 [CRITICAL] CWE-306 GHSA-4p8r-c649-4cgv: Radiometrics VizAir is vulnerable to a lack of authentication mechanisms for critical functions, such as admin access and API requests
Radiometrics VizAir is vulnerable to a lack of authentication mechanisms for critical functions, such as admin access and API requests. Attackers can modify configurations without authentication, potentially manipulating active runway settings and misleading air traffic control (ATC) and pilots. Additionally, manipulated meteorological data could mislead forecasters and ATC, causing inaccurate flight planning.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-11-04
Published