Radiometrics VizAir is vulnerable to any remote attacker via access to the admin panel of the VizAir system without authentication. Once inside, the attacker can modify critical weather parameters such as wind shear alerts, inversion depth, and CAPE values, which are essential for accurate weather forecasting and flight safety. This unauthorized access could result in the disabling of vital alerts, causing hazardous conditions for aircraft, and manipulating runway assignments, which could result in mid-air conflicts or runway incursions.
The vulnerability results from the lack of an authentication mechanism (CWE-306) protecting access to the VizAir system's admin panel. Any attacker with network access can open the panel without providing any login credentials and gain full administrative privileges. After gaining access, the attacker can modify critical weather parameters such as wind shear alerts, temperature inversion depth, and CAPE values, as well as change runway assignments.
An attacker can disable critical aviation safety alerts and manipulate meteorological data and runway assignments, which may lead to mid-air collisions, runway incursion incidents, or exposing aircraft to dangerous atmospheric conditions.
Apply patches available from the manufacturer in accordance with the references. As an immediate remedial action, it is recommended to isolate the VizAir system from the public network, restrict access to the admin panel exclusively to trusted IP addresses, and implement network-level authentication (e.g., VPN or firewall).
Radiometrics VizAir — versions indicated in the manufacturer's references (CISA ICS Advisory ICSA-25-308-04)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XRadiometrics Vizair
APPRadiometrics< 2025-08