The Cybersecurity and Infrastructure Security Agency (CISA) has issued a stark warning following confirmation that a command injection vulnerability in Meteobridge weather station devices is now being actively exploited. Tracked as CVE-2025-4008, the flaw allows attackers to execute arbitrary commands via an unauthenticated web interface endpoint, exploiting unsanitized user input.
While Meteobridge devices are not designed to be internet-facing, security researchers identified around 100 units publicly exposed online, turning an otherwise limited flaw into an accessible target. The vulnerability—found in a CGI shell script—can be exploited with nothing more than a simple HTTP GET request, no authentication required. This makes it an easy entry point for attackers looking to compromise exposed weather data gateways or pivot deeper into connected networks.
CISA’s inclusion of this flaw in its Known Exploited Vulnerabilities (KEV) catalog elevates it to high priority, especially for federal agencies, which are mandated to patch it within three weeks under Binding Operational Directive 22-01. The issue was patched by Smartbedded in MeteoBridge version 6.2, released in May 2025, but many devices remain outdated and at risk.
The update also expands the KEV catalog with other actively exploited vulnerabilities, including a Samsung zero-day and legacy flaws in Jenkins, Juniper ScreenOS, and GNU Bash (Shellshock)—a reminder that both new and old exploits continue to endanger unpatched systems.
CISA’s message is clear: patch management and exposure control are non-negotiable. Any internet-connected management interface—no matter how obscure—represents a critical point of failure. Security teams should immediately patch affected devices, verify they are not exposed online, and review perimeter configurations to prevent similar misconfigurations from becoming the next exploited vector.
#CISA #CVE20254008 #Meteobridge #cybersecurity #KEV #commandinjection #infosec #patchmanagement #networksecurity #Shellshock #Samsungvulnerability #Jenkins #Juniper #Smartbedded #federalcybersecurity #BOD2201