CVE-2025-1077
Published: 07 February 2025
Summary
CVE-2025-1077 is a critical-severity Improper Input Validation (CWE-20) vulnerability in Iblsoft (inferred from references). Its CVSS base score is 9.5 (Critical).
Operationally, ranked in the top 21.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
A security vulnerability tracked as CVE-2025-1077 affects the Product Delivery Service (PDS) component in IBL Software Engineering Visual Weather and its derived products including NAMIS, Aero Weather, and Satellite Weather. The flaw exists only in specific server configurations where the PDS pipeline uses the IPDS pipeline with Message Editor Output Filters enabled. It stems from insufficient input validation and unsafe deserialization (CWE-20, CWE-502), allowing specially crafted Form Properties to trigger arbitrary Python code execution when the IPDS pipeline is invoked.
A remote unauthenticated attacker can exploit the issue by sending crafted requests directly to the affected PDS endpoint. Successful exploitation grants arbitrary Python code execution on the server, which can result in full system compromise, particularly when Visual Weather services run under a privileged account rather than following documented least-privilege installation guidance. The vulnerability carries a CVSS 4.0 score of 9.5 reflecting network attack vector, high impact on confidentiality, integrity, and availability, and scope change.
The vendor advisory at https://www.iblsoft.com/security/advisory-isec-2024-001/ recommends upgrading to version 7.3.10 or 8.6.0 and later to address the issue. Current EPSS remains low at 0.0112 with a modest peak of 0.0180, indicating limited observed exploitation interest to date.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-1991
Vulnerability details
A security vulnerability has been identified in the IBL Software Engineering Visual Weather and derived products (NAMIS, Aero Weather, Satellite Weather). The vulnerability is present in the Product Delivery Service (PDS) component in specific server configurations where the PDS pipeline…
more
utilizes the IPDS pipeline with Message Editor Output Filters enabled. A remote unauthenticated attacker can exploit this vulnerability to send unauthenticated requests to execute the IPDS pipeline with specially crafted Form Properties, enabling remote execution of arbitrary Python code. This vulnerability could lead to a full system compromise of the affected server, particularly if Visual Weather services are run under a privileged user account—contrary to the documented installation best practices. Upgrade to the patched versions 7.3.10 (or higher), 8.6.0 (or higher).
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Security testing and evaluation at multiple SDLC stages directly detects missing or flawed input validation, with the required remediation process ensuring fixes are applied.
Directly implements checks on information inputs to reject invalid data before processing.
Penetration testing supplies malicious serialized objects, detecting unsafe deserialization and supporting corrective actions.
Security testing and developer training directly verify and enforce proper input validation, reducing exploitability of injection and malformed-data weaknesses.
Untrusted serialized data can be deserialized and observed inside the chamber, blocking gadget-chain exploitation outside the sandbox.
Identifies and blocks malicious code introduced through deserialization of untrusted data at system boundaries.
Integrity verification of serialized information can detect tampering before deserialization occurs.
Spam protection mechanisms perform filtering and detection on inbound/outbound messages, directly compensating for missing or weak input validation of unsolicited content.