CVE-2025-61956
Published: 04 November 2025
Summary
CVE-2025-61956 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Radiometrics Vizair. Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 38.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly identifies and restricts permitted actions without identification or authentication, preventing unauthenticated access to critical admin and API functions in VizAir.
Enforces approved access control policies requiring authentication for logical access to configurations like runway settings and meteorological data.
Mandates unique identification and authentication for organizational users accessing critical functions, addressing the missing authentication mechanisms exploited in this CVE.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authentication for admin panel and API (CVE-2025-61956, CVE-2025-61945) enables T1190 (exploit public-facing application). Exposed API key in config file (CVE-2025-54863) enables T1552.001 (credentials in files). Allows manipulation of weather data and runway settings, enabling T1565.001 (stored data manipulation).
NVD Description
Radiometrics VizAir is vulnerable to a lack of authentication mechanisms for critical functions, such as admin access and API requests. Attackers can modify configurations without authentication, potentially manipulating active runway settings and misleading air traffic control (ATC) and pilots. Additionally,…
more
manipulated meteorological data could mislead forecasters and ATC, causing inaccurate flight planning.
Deeper analysisAI
CVE-2025-61956 is a critical vulnerability in Radiometrics VizAir, stemming from a lack of authentication mechanisms for critical functions, including admin access and API requests. Classified under CWE-306 (Missing Authentication for Critical Function), it carries a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). Published on 2025-11-04, the flaw enables unauthenticated modification of configurations in this air traffic management-related software.
Attackers require only network access to exploit the vulnerability, with no privileges, user interaction, or special conditions needed. Successful exploitation allows remote modification of active runway settings, potentially misleading air traffic control (ATC) and pilots. Attackers can also manipulate meteorological data, causing forecasters and ATC to rely on inaccurate information for flight planning.
CISA's ICS Advisory ICSA-25-308-04 details mitigation recommendations, available at https://www.cisa.gov/news-events/ics-advisories/icsa-25-308-04 and the related GitHub file at https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-308-04.json.
Details
- CWE(s)