Vulnerabilities

Organizations Warned of Exploited Meteobridge Vulnerability

Patched in mid-May, the security defect allows remote unauthenticated attackers to execute arbitrary commands with root privileges.

CISA KEV

The US cybersecurity agency CISA on Thursday warned that a Meteobridge vulnerability patched in May has been exploited in attacks and added the flaw to its Known Exploited Vulnerabilities (KEV) catalog.

Meteobridge is a device that allows administrators to connect their weather stations to public weather networks. Station data collection and system management functionality is provided through the Meteobridge web interface.

While Meteobridge should not be exposed to the internet, there are roughly 100 devices that are accessible from the public web, Shodan historical data shows. This misconfiguration exposes vulnerable devices to potential attacks.

Tracked as CVE-2025-4008 (CVSS score of 8.7), the Meteobridge bug now flagged as exploited was identified in a web interface endpoint (a CGI shell script) that is prone to command injection.

The issue exists because user-controlled input is parsed and used in an eval call without sanitization. Furthermore, because the vulnerable CGI script is available in the public folder, it is not protected by authentication, allowing unauthenticated attackers to exploit the bug via a curl command.

“Remote exploitation through malicious webpage is also possible since it’s a GET request without any kind of custom header or token parameter,” Onekey explains.

Advertisement. Scroll to continue reading.

On May 13, Smartbedded announced that MeteoBridge version 6.2 was released with fixes for “an application security risk”, without mentioning the CVE or the vulnerability’s exploitation.

Now, CISA warns that threat actors have exploited the flaw in attacks, urging federal agencies to address it within the next three weeks, as mandated by the Binding Operational Directive (BOD) 22-01.

While Onekey published technical details on CVE-2025-4008 and a proof-of-concept (PoC) exploit in May, there have been no reports of the bug’s in-the-wild exploitation prior to CISA adding it to KEV.

On Thursday, CISA also expanded the KEV list with a recent Samsung zero-day (CVE-2025-21043) and with three old security defects in Jenkins (CVE-2017-1000353), Juniper ScreenOS (CVE-2015-7755), and GNU Bash OS (CVE-2014-6278, aka Shellshock), which were flagged as exploited before.

All organizations are advised to address these five vulnerabilities, and all the flaws described by CISA’s KEV list.

Related: Oracle Says Known Vulnerabilities Possibly Exploited in Recent Extortion Attacks

Related: Organizations Warned of Exploited Sudo Vulnerability

Related: WireTap Attack Breaks Intel SGX Security

Related: Chrome 141 and Firefox 143 Patches Fix High-Severity Vulnerabilities

Related Content

Vulnerabilities

CISA says threat actors are exploiting a recently patched SharePoint remote code execution vulnerability (CVE-2026-45659).

Vulnerabilities

Fifteen of the newly patched flaws have been rated ‘critical’ and 67 have been rated ‘high severity’.

Ransomware

The Microsoft Defender vulnerability CVE-2026-33825 was exploited in the wild as a zero-day before patches were released.

Vulnerabilities

The critical-severity defect allows unauthenticated attackers to take over the E-Business Suite’s Payments product.

Malware & Threats

The threat actor is focused on collecting credentials, SSH keys, cryptocurrency wallets, and development tooling.

ICS/OT

CISA has published an advisory to inform organizations about three vulnerabilities found by a researcher in Daktronics controllers.

Artificial Intelligence

AWS has patched the vulnerability and published its own advisory to inform customers about the potential impact. 

Application Security

It will provide the tools and channels to report, patch, and disclose open source software vulnerabilities.

Copyright © 2026 SecurityWeek ®, a Wired Business Media Publication. All Rights Reserved.

Exit mobile version