CVE-2025-61956
Published: 04 November 2025
Description
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
Security Summary
CVE-2025-61956 is a critical vulnerability in Radiometrics VizAir, stemming from a lack of authentication mechanisms for critical functions, including admin access and API requests. Classified under CWE-306 (Missing Authentication for Critical Function), it carries a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). Published on 2025-11-04, the flaw enables unauthenticated modification of configurations in this air traffic management-related software.
Attackers require only network access to exploit the vulnerability, with no privileges, user interaction, or special conditions needed. Successful exploitation allows remote modification of active runway settings, potentially misleading air traffic control (ATC) and pilots. Attackers can also manipulate meteorological data, causing forecasters and ATC to rely on inaccurate information for flight planning.
CISA's ICS Advisory ICSA-25-308-04 details mitigation recommendations, available at https://www.cisa.gov/news-events/ics-advisories/icsa-25-308-04 and the related GitHub file at https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-308-04.json.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Missing authentication for admin panel and API (CVE-2025-61956, CVE-2025-61945) enables T1190 (exploit public-facing application). Exposed API key in config file (CVE-2025-54863) enables T1552.001 (credentials in files). Allows manipulation of weather data and runway settings, enabling T1565.001 (stored data manipulation).