Cyber Resilience

CVE-2025-61956

Critical

Published: 04 November 2025

Published
04 November 2025
Modified
12 November 2025
KEV Added
Patch
CVSS Score v4 10.0 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0015 34.9th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-61956 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Radiometrics Vizair. Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 34.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2025-61956 is a critical vulnerability in Radiometrics VizAir, stemming from a lack of authentication mechanisms for critical functions, including admin access and API requests. Classified under CWE-306 (Missing Authentication for Critical Function), it carries a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). Published on 2025-11-04, the flaw enables unauthenticated modification of configurations in this air traffic management-related software.

Attackers require only network access to exploit the vulnerability, with no privileges, user interaction, or special conditions needed. Successful exploitation allows remote modification of active runway settings, potentially misleading air traffic control (ATC) and pilots. Attackers can also manipulate meteorological data, causing forecasters and ATC to rely on inaccurate information for flight planning.

CISA's ICS Advisory ICSA-25-308-04 details mitigation recommendations, available at https://www.cisa.gov/news-events/ics-advisories/icsa-25-308-04 and the related GitHub file at https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-308-04.json.

EU & UK References

Vulnerability details

Radiometrics VizAir is vulnerable to a lack of authentication mechanisms for critical functions, such as admin access and API requests. Attackers can modify configurations without authentication, potentially manipulating active runway settings and misleading air traffic control (ATC) and pilots. Additionally,…

more

manipulated meteorological data could mislead forecasters and ATC, causing inaccurate flight planning.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1552.001 Credentials In Files Credential Access
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
T1565.001 Stored Data Manipulation Impact
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
Why these techniques?

Missing authentication for admin panel and API (CVE-2025-61956, CVE-2025-61945) enables T1190 (exploit public-facing application). Exposed API key in config file (CVE-2025-54863) enables T1552.001 (credentials in files). Allows manipulation of weather data and runway settings, enabling T1565.001 (stored data manipulation).

CVEs Like This One

CVE-2025-61945Same product: Radiometrics Vizair
CVE-2025-54863Same product: Radiometrics Vizair
CVE-2020-37157Shared CWE-306
CVE-2020-36963Shared CWE-306
CVE-2020-37146Shared CWE-306
CVE-2021-47802Shared CWE-306
CVE-2026-41930Shared CWE-306
CVE-2025-8861Shared CWE-306
CVE-2026-1019Shared CWE-306
CVE-2025-21515Shared CWE-306

Affected Assets

radiometrics
vizair
≤ 2025-08

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly identifies and restricts permitted actions without identification or authentication, preventing unauthenticated access to critical admin and API functions in VizAir.

prevent

Enforces approved access control policies requiring authentication for logical access to configurations like runway settings and meteorological data.

prevent

Mandates unique identification and authentication for organizational users accessing critical functions, addressing the missing authentication mechanisms exploited in this CVE.

References