Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Organizations Warned of Exploited Meteobridge Vulnerability

Patched in mid-May, the security defect allows remote unauthenticated attackers to execute arbitrary commands with root privileges.

CISA KEV

The US cybersecurity agency CISA on Thursday warned that a Meteobridge vulnerability patched in May has been exploited in attacks and added the flaw to its Known Exploited Vulnerabilities (KEV) catalog.

Meteobridge is a device that allows administrators to connect their weather stations to public weather networks. Station data collection and system management functionality is provided through the Meteobridge web interface.

While Meteobridge should not be exposed to the internet, there are roughly 100 devices that are accessible from the public web, Shodan historical data shows. This misconfiguration exposes vulnerable devices to potential attacks.

Tracked as CVE-2025-4008 (CVSS score of 8.7), the Meteobridge bug now flagged as exploited was identified in a web interface endpoint (a CGI shell script) that is prone to command injection.

The issue exists because user-controlled input is parsed and used in an eval call without sanitization. Furthermore, because the vulnerable CGI script is available in the public folder, it is not protected by authentication, allowing unauthenticated attackers to exploit the bug via a curl command.

“Remote exploitation through malicious webpage is also possible since it’s a GET request without any kind of custom header or token parameter,” Onekey explains.

Advertisement. Scroll to continue reading.

On May 13, Smartbedded announced that MeteoBridge version 6.2 was released with fixes for “an application security risk”, without mentioning the CVE or the vulnerability’s exploitation.

Now, CISA warns that threat actors have exploited the flaw in attacks, urging federal agencies to address it within the next three weeks, as mandated by the Binding Operational Directive (BOD) 22-01.

While Onekey published technical details on CVE-2025-4008 and a proof-of-concept (PoC) exploit in May, there have been no reports of the bug’s in-the-wild exploitation prior to CISA adding it to KEV.

On Thursday, CISA also expanded the KEV list with a recent Samsung zero-day (CVE-2025-21043) and with three old security defects in Jenkins (CVE-2017-1000353), Juniper ScreenOS (CVE-2015-7755), and GNU Bash OS (CVE-2014-6278, aka Shellshock), which were flagged as exploited before.

All organizations are advised to address these five vulnerabilities, and all the flaws described by CISA’s KEV list.

Related: Oracle Says Known Vulnerabilities Possibly Exploited in Recent Extortion Attacks

Related: Organizations Warned of Exploited Sudo Vulnerability

Related: WireTap Attack Breaks Intel SGX Security

Related: Chrome 141 and Firefox 143 Patches Fix High-Severity Vulnerabilities

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

James Phillips has been promoted to the role of Vice President, Cybersecurity Risk Management at AT&T.

Rafal Los has joined Binary Defense as Chief Strategy Officer.

Tracey Mustacchio has joined Everfox as Chief Marketing Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.