CVE-2025-61945
Published: 04 November 2025
Summary
CVE-2025-61945 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Radiometrics Vizair. Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 38.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly identifies and restricts critical admin panel functions like weather parameter modification to only authenticated access, addressing the missing authentication for critical functions.
Requires unique identification and authentication for organizational users before accessing the vulnerable admin panel, preventing remote unauthenticated exploitation.
Enforces approved authorizations to block unauthorized logical access and modification of essential weather parameters via the exposed admin panel.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authentication for admin panel/API (CVE-2025-61945, CVE-2025-61956) enables T1190 (exploit public-facing app). Exposed API key in public config (CVE-2025-54863) enables T1552.001 (unsecured credentials). Unauth access allows T1565 (data manipulation of weather/runway params) and T1499 (DoS via false alerts).
NVD Description
Radiometrics VizAir is vulnerable to any remote attacker via access to the admin panel of the VizAir system without authentication. Once inside, the attacker can modify critical weather parameters such as wind shear alerts, inversion depth, and CAPE values, which…
more
are essential for accurate weather forecasting and flight safety. This unauthorized access could result in the disabling of vital alerts, causing hazardous conditions for aircraft, and manipulating runway assignments, which could result in mid-air conflicts or runway incursions.
Deeper analysisAI
CVE-2025-61945 is a critical vulnerability in Radiometrics VizAir, published on 2025-11-04, that enables unauthorized access to the system's admin panel without authentication. Assigned CWE-306 (Missing Authentication for Critical Function) and a perfect CVSS v3.1 score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), it allows remote attackers to modify essential weather parameters, including wind shear alerts, inversion depth, and CAPE values, which are vital for accurate forecasting and aviation safety.
Any remote attacker can exploit this vulnerability without privileges, user interaction, or special conditions, simply by accessing the exposed admin panel. Successful exploitation enables tampering with critical data, such as disabling safety alerts that could lead to hazardous aircraft conditions or altering runway assignments, potentially resulting in mid-air conflicts or runway incursions.
CISA advisory ICSA-25-308-04 provides details on mitigation, available at https://www.cisa.gov/news-events/ics-advisories/icsa-25-308-04, along with the corresponding CSAF JSON file at https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-308-04.json.
Details
- CWE(s)