The U.S. CISA has added a critical command injection vulnerability, CVE-2025-4008, in Smartbedded Meteobridge devices to its KEV list due to active exploitation. The flaw allows remote attackers to execute arbitrary code without authentication, risking device control and data breaches. #Smartbedded #CVE-2025-4008
Keypoints
- The vulnerability CVE-2025-4008 affects Smartbedded Meteobridge devices and involves command injection via the web interface.
- Exploitation can occur without authentication, as the affected CGI script is publicly accessible.
- Attackers can execute arbitrary commands with root privileges on compromised devices.
- The flaw was patched in Meteobridge version 6.2 released on May 13, 2025.
- FCEB agencies must apply necessary updates by October 23, 2025, to mitigate risks.
Read More: https://thehackernews.com/2025/10/cisa-flags-meteobridge-cve-2025-4008.html