The US cybersecurity agency CISA on Thursday warned that a Meteobridge vulnerability patched in May has been exploited in attacks and added the flaw to its Known Exploited Vulnerabilities (KEV) catalog.
Meteobridge is a device that allows administrators to connect their weather stations to public weather networks. Station data collection and system management functionality is provided through the Meteobridge web interface.
While Meteobridge should not be exposed to the internet, there are roughly 100 devices that are accessible from the public web, Shodan historical data shows. This misconfiguration exposes vulnerable devices to potential attacks.
Tracked as CVE-2025-4008 (CVSS score of 8.7), the Meteobridge bug now flagged as exploited was identified in a web interface endpoint (a CGI shell script) that is prone to command injection.
The issue exists because user-controlled input is parsed and used in an eval call without sanitization. Furthermore, because the vulnerable CGI script is available in the public folder, it is not protected by authentication, allowing unauthenticated attackers to exploit the bug via a curl command.
“Remote exploitation through malicious webpage is also possible since it’s a GET request without any kind of custom header or token parameter,” Onekey explains.
On May 13, Smartbedded announced that MeteoBridge version 6.2 was released with fixes for “an application security risk”, without mentioning the CVE or the vulnerability’s exploitation.
Now, CISA warns that threat actors have exploited the flaw in attacks, urging federal agencies to address it within the next three weeks, as mandated by the Binding Operational Directive (BOD) 22-01.
While Onekey published technical details on CVE-2025-4008 and a proof-of-concept (PoC) exploit in May, there have been no reports of the bug’s in-the-wild exploitation prior to CISA adding it to KEV.
On Thursday, CISA also expanded the KEV list with a recent Samsung zero-day (CVE-2025-21043) and with three old security defects in Jenkins (CVE-2017-1000353), Juniper ScreenOS (CVE-2015-7755), and GNU Bash OS (CVE-2014-6278, aka Shellshock), which were flagged as exploited before.
All organizations are advised to address these five vulnerabilities, and all the flaws described by CISA’s KEV list.
Related: Oracle Says Known Vulnerabilities Possibly Exploited in Recent Extortion Attacks
Related: Organizations Warned of Exploited Sudo Vulnerability
Related: WireTap Attack Breaks Intel SGX Security
Related: Chrome 141 and Firefox 143 Patches Fix High-Severity Vulnerabilities
