Cyber Resilience

CVE-2025-61945

Critical

Published: 04 November 2025

Published
04 November 2025
Modified
12 November 2025
KEV Added
Patch
CVSS Score v4 10.0 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0015 35.1th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-61945 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Radiometrics Vizair. Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 35.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2025-61945 is a critical vulnerability in Radiometrics VizAir, published on 2025-11-04, that enables unauthorized access to the system's admin panel without authentication. Assigned CWE-306 (Missing Authentication for Critical Function) and a perfect CVSS v3.1 score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), it allows remote attackers to modify essential weather parameters, including wind shear alerts, inversion depth, and CAPE values, which are vital for accurate forecasting and aviation safety.

Any remote attacker can exploit this vulnerability without privileges, user interaction, or special conditions, simply by accessing the exposed admin panel. Successful exploitation enables tampering with critical data, such as disabling safety alerts that could lead to hazardous aircraft conditions or altering runway assignments, potentially resulting in mid-air conflicts or runway incursions.

CISA advisory ICSA-25-308-04 provides details on mitigation, available at https://www.cisa.gov/news-events/ics-advisories/icsa-25-308-04, along with the corresponding CSAF JSON file at https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-308-04.json.

EU & UK References

Vulnerability details

Radiometrics VizAir is vulnerable to any remote attacker via access to the admin panel of the VizAir system without authentication. Once inside, the attacker can modify critical weather parameters such as wind shear alerts, inversion depth, and CAPE values, which…

more

are essential for accurate weather forecasting and flight safety. This unauthorized access could result in the disabling of vital alerts, causing hazardous conditions for aircraft, and manipulating runway assignments, which could result in mid-air conflicts or runway incursions.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1552.001 Credentials In Files Credential Access
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
T1565 Data Manipulation Impact
Adversaries may insert, delete, or manipulate data in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
T1499 Endpoint Denial of Service Impact
Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users.
Why these techniques?

Missing authentication for admin panel/API (CVE-2025-61945, CVE-2025-61956) enables T1190 (exploit public-facing app). Exposed API key in public config (CVE-2025-54863) enables T1552.001 (unsecured credentials). Unauth access allows T1565 (data manipulation of weather/runway params) and T1499 (DoS via false alerts).

CVEs Like This One

CVE-2025-61956Same product: Radiometrics Vizair
CVE-2025-54863Same product: Radiometrics Vizair
CVE-2020-37157Shared CWE-306
CVE-2020-36963Shared CWE-306
CVE-2020-37146Shared CWE-306
CVE-2021-47802Shared CWE-306
CVE-2026-41930Shared CWE-306
CVE-2026-27843Shared CWE-306
CVE-2025-21515Shared CWE-306
CVE-2025-57432Shared CWE-306

Affected Assets

radiometrics
vizair
≤ 2025-08

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly identifies and restricts critical admin panel functions like weather parameter modification to only authenticated access, addressing the missing authentication for critical functions.

prevent

Requires unique identification and authentication for organizational users before accessing the vulnerable admin panel, preventing remote unauthenticated exploitation.

prevent

Enforces approved authorizations to block unauthorized logical access and modification of essential weather parameters via the exposed admin panel.

References