CVE-2025-54863

Critical

Published: 04 November 2025

Published

04 November 2025

Modified

12 November 2025

KEV Added

—

Patch

—

CVSS Score 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0011 29.8th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may target resource intensive features of applications to cause a denial of service (DoS), denying availability to those applications.

Security Summary

CVE-2025-54863 is a critical vulnerability in Radiometrics VizAir, where the system's REST API key is exposed through a publicly accessible configuration file. This issue, mapped to CWE-522 (Insufficiently Protected Credentials), carries a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), reflecting its potential for high-impact network-based exploitation without requiring authentication or user interaction.

Attackers with network access can remotely leverage the exposed API key to alter weather data and system configurations, extract sensitive meteorological information, and automate attacks against multiple VizAir instances. They could also flood the system with false alerts, resulting in denial-of-service conditions that disrupt airport operations. Such unauthorized control over aviation weather monitoring risks incorrect flight planning and hazardous takeoff or landing scenarios.

The CISA advisory ICSA-25-308-04 provides details on mitigation strategies; refer to https://www.cisa.gov/news-events/ics-advisories/icsa-25-308-04 and the associated CSAF file at https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-308-04.json for patches, workarounds, and further guidance.

Details

CWE(s): CWE-522

Affected Products

radiometrics

vizair

≤ 2025-08

MITRE ATT&CK Enterprise Techniques

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1552.001 Credentials In Files Credential Access

Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.

attack.mitre.org →

T1565.001 Stored Data Manipulation Impact

Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.

attack.mitre.org →

T1499.003 Application Exhaustion Flood Impact

Adversaries may target resource intensive features of applications to cause a denial of service (DoS), denying availability to those applications.

attack.mitre.org →

Why these techniques?

Vulnerabilities enable exploitation of public-facing REST API and admin panel lacking authentication (T1190), exposure of API key in publicly accessible config file (T1552.001), remote alteration of stored weather data and configurations (T1565.001), and DoS via flooding API with false alerts (T1499.003).

References

https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-308-04.json
Third Party Advisory · ics-cert@hq.dhs.gov
https://www.cisa.gov/news-events/ics-advisories/icsa-25-308-04
Mitigation, Third Party Advisory, US Government Resource · ics-cert@hq.dhs.gov