CRITICAL🇵🇱 Wersja polska

CVE-2025-61956

CVSS 10.0v4.0pub. 2025-11-04upd. 2025-11-12

Radiometrics VizAir is vulnerable to a lack of authentication mechanisms for critical functions, such as admin access and API requests. Attackers can modify configurations without authentication, potentially manipulating active runway settings and misleading air traffic control (ATC) and pilots. Additionally, manipulated meteorological data could mislead forecasters and ATC, causing inaccurate flight planning.

🤖 AI Analysis
How it works

An attacker without any credentials can gain access to the administrative panel and invoke API requests to the VizAir system. The lack of authentication mechanisms (CWE-306) allows unauthorized modification of system configuration, including active runway settings and meteorological data. The manipulated data can then be presented to air traffic controllers (ATC) and pilots as reliable operational information.

Impact

An attacker can remotely and without authentication modify the system configuration, falsify runway status data, and manipulate meteorological data, which may mislead air traffic controllers (ATC), pilots, and meteorologists, leading to incorrect flight planning and potential aviation safety threats.

Mitigation & patch

Apply patches available from the vendor in accordance with the references (CISA ICS Advisory ICSA-25-308-04: https://www.cisa.gov/news-events/ics-advisories/icsa-25-308-04). Until patches are deployed, it is recommended to isolate the system from public networks, restrict network access to a minimum, and apply additional access control mechanisms at the network level (firewall, VPN).

Who is affected

Radiometrics VizAir — versions specified in the vendor references (advisory ICSA-25-308-04)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Radiometrics Vizair

    APP
    Radiometrics
    < 2025-08
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2025-54863CRITICAL10.0PL ✓ten sam produkt

Radiometrics VizAir — ujawnienie klucza API REST w pliku konfiguracyjnym

CVE-2025-61945CRITICAL10.0PL ✓ten sam produkt

Brak uwierzytelnienia w panelu admina Radiometrics VizAir