CVE-2025-62193

Critical

Published: 15 January 2026

Published

15 January 2026

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0030 53.2th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Sites running NOAA PMEL Live Access Server (LAS) are vulnerable to remote code execution via specially crafted requests that include PyFerret expressions. By leveraging a SPAWN command, a remote, unauthenticated attacker can execute arbitrary OS commands. Fixed in a version…

of 'gov.noaa.pmel.tmap.las.filter.RequestInputFilter.java' from 2025-09-24.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Implements input validation at entry points to reject specially crafted PyFerret expressions containing SPAWN commands, directly preventing OS command injection.

SI-2 Flaw Remediation good match

prevent

Requires timely patching of the identified flaw in gov.noaa.pmel.tmap.las.filter.RequestInputFilter.java to eliminate the vulnerability.

SI-9 Information Input Restrictions partial match

prevent

Restricts dangerous information inputs such as PyFerret SPAWN commands using defined tools and procedures to block exploitation attempts.

Security SummaryAI

CVE-2025-62193 is a remote code execution vulnerability in sites running NOAA PMEL Live Access Server (LAS). The flaw arises from specially crafted requests that include PyFerret expressions, allowing exploitation via a SPAWN command to execute arbitrary OS commands. It is classified under CWE-78 (OS Command Injection) with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). The vulnerability was addressed in an update to the file 'gov.noaa.pmel.tmap.las.filter.RequestInputFilter.java' dated 2025-09-24.

A remote, unauthenticated attacker can exploit this vulnerability by sending malicious requests to a LAS instance accessible over the network. Exploitation requires low complexity and no privileges or user interaction, enabling the attacker to achieve high impacts on confidentiality, integrity, and availability through arbitrary OS command execution on the server.

Mitigation requires updating LAS to the patched version, with fixes implemented in GitHub commits such as de5f9237bfd4ac5085bcc49a6e30bbc9507ddb29 and e69afb1898ae7e69f3e047513fc1e5570373912b in the NOAA-PMEL/LAS repository. Additional details are available in the repository's README.md, version comparison from b4b7306 to de5f923, and the main branch tree.

Details

CWE(s): CWE-78

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability is a remote code execution flaw in a public-facing web application (NOAA PMEL LAS) exploitable via crafted requests for arbitrary OS command execution without authentication or user interaction, directly enabling T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/NOAA-PMEL/LAS/blob/main/README.md
9119a7d8-5eab-497f-8521-727c672e3725
https://github.com/NOAA-PMEL/LAS/commit/de5f9237bfd4ac5085bcc49a6e30bbc9507ddb29
9119a7d8-5eab-497f-8521-727c672e3725
https://github.com/NOAA-PMEL/LAS/commit/e69afb1898ae7e69f3e047513fc1e5570373912b
9119a7d8-5eab-497f-8521-727c672e3725
https://github.com/NOAA-PMEL/LAS/compare/b4b7306..de5f923
9119a7d8-5eab-497f-8521-727c672e3725
https://github.com/NOAA-PMEL/LAS/tree/main
9119a7d8-5eab-497f-8521-727c672e3725
https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-26-015-01.json
9119a7d8-5eab-497f-8521-727c672e3725
https://www.cve.org/CVERecord?id=CVE-2025-62193
9119a7d8-5eab-497f-8521-727c672e3725