"Meteobridge is a device that allows administrators to connect their weather stations to public weather networks. Station data collection and system management functionality is provided through the Meteobridge web interface. While Meteobridge should not be exposed to the internet, there are roughly 100 devices that are accessible from the public web, Shodan historical data shows. This misconfiguration exposes vulnerable devices to potential attacks."
"Tracked as CVE-2025-4008 (CVSS score of 8.7), the Meteobridge bug now flagged as exploited was identified in a web interface endpoint (a CGI shell script) that is prone to command injection. The issue exists because user-controlled input is parsed and used in an eval call without sanitization. Furthermore, because the vulnerable CGI script is available in the public folder, it is not protected by authentication, allowing unauthenticated attackers to exploit the bug via a curl command."
""Remote exploitation through malicious webpage is also possible since it's a GET request without any kind of custom header or token parameter," Onekey explains. On May 13, Smartbedded announced that MeteoBridge version 6.2 was released with fixes for "an application security risk", without mentioning the CVE or the vulnerability's exploitation. Now, CISA warns that threat actors have exploited the flaw in attacks, urging federal agencies to address it within the next three weeks, as mandated by the Binding Operational Directive (BOD) 22-01."
Meteobridge devices connect weather stations to public weather networks and provide station data collection and system management via a web interface. A command-injection vulnerability in a CGI shell endpoint (CVE-2025-4008, CVSS 8.7) allowed user-controlled input to be evaluated without sanitization. The vulnerable script resides in a public folder and lacks authentication, enabling unauthenticated exploitation via simple GET/curl requests. Shodan historical data shows roughly 100 Meteobridge devices exposed to the internet, increasing attack risk. Smartbedded released version 6.2 with fixes; CISA added the flaw to its KEV catalog and urged agencies to patch under BOD 22-01.
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]