HIGH🇬🇧 English

CVE-2025-61939

CVSS 8.7v4.0pub. 2026-01-07upd. 2026-01-22

An unused function in MicroServer can start a reverse SSH connection to a vendor registered domain, without mutual authentication. An attacker on the local network with admin access to the web server, and the ability to manipulate DNS responses, can redirect the SSH connection to an attacker controlled device.

oryginał EN
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Columbiaweather Weather Microserver

    HW
    Columbiaweather
    wszystkie wersje
  • Columbiaweather Weather Microserver Firmware

    OS
    Columbiaweather
    < MS_4.1_14142
🔵
ZWERYFIKUJ U PRODUCENTA
Brak jednoznacznych danych o patchu. Sprawdź referencje od producenta.
CWE
Referencje

Powiązane podatności

CVE-2025-66620HIGH8.6ten sam produkt

An unused webshell in MicroServer allows unlimited login attempts, with sudo rights on certain files and direc...

CVE-2018-18877HIGH8.8ten sam produkt

In firmware version MS_2.6.9900 of Columbia Weather MicroServer, an authenticated web user can access an alter...

CVE-2018-18878HIGH7.5ten sam produkt

In firmware version MS_2.6.9900 of Columbia Weather MicroServer, the BACnet daemon does not properly validate ...

CVE-2018-18879HIGH8.8ten sam produkt

In firmware version MS_2.6.9900 of Columbia Weather MicroServer, an authenticated web user can pipe commands d...

CVE-2018-18876MEDIUM5.3ten sam produkt

In firmware version MS_2.6.9900 of Columbia Weather MicroServer, a readouts_rd.php directory traversal issue m...