cbcvebase.
CVE-2025-61956
published 2025-11-04

CVE-2025-61956: Radiometrics VizAir is vulnerable to a lack of authentication mechanisms for critical functions, such as admin access and API requests. Attackers can modify…

PriorityP264critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.72%
49.2th percentile
Radiometrics VizAir is vulnerable to a lack of authentication mechanisms for critical functions, such as admin access and API requests. Attackers can modify configurations without authentication, potentially manipulating active runway settings and misleading air traffic control (ATC) and pilots. Additionally, manipulated meteorological data could mislead forecasters and ATC, causing inaccurate flight planning.

Affected

2 ranges
VendorProductVersion rangeFixed in
radiometricsvizair< 08/202508/2025
radiometricsvizair< 2025-082025-08

Detection & IOCsextracted from sources · hover to see the quote

  • Radiometrics VizAir admin panel is accessible without authentication — detect unauthenticated HTTP requests to the admin panel endpoint
  • REST API key is exposed in a publicly accessible configuration file on VizAir systems — monitor for unauthenticated GET requests to configuration file paths on VizAir web servers
  • ·All affected VizAir versions prior to 08/2025 are vulnerable; Radiometrics has patched all affected systems — no user action required per vendor, but network isolation is strongly recommended
  • ·No known public exploitation has been reported at time of advisory publication

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.010.0CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.