Cyber Resilience

CVE-2025-66620

High

Published: 07 January 2026

Published
07 January 2026
Modified
22 January 2026
KEV Added
Patch
CVSS Score v4 8.6 CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0042 33.2th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2025-66620 is a high-severity Command Shell in Externally Accessible Directory (CWE-553) vulnerability in Columbiaweather Weather Microserver Firmware. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Web Shell (T1505.003); ranked at the 33.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-7 (Unsuccessful Logon Attempts) and CM-7 (Least Functionality).

Deeper analysis

CVE-2025-66620 is a vulnerability in MicroServer involving an unused webshell that permits unlimited login attempts and grants sudo rights on certain files and directories. This issue, associated with CWE-553, affects the MicroServer component and carries a CVSS v3.1 base score of 8.0 (AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high confidentiality, integrity, and availability impacts with low attack complexity and privileges required from an adjacent network.

An attacker with admin access to MicroServer can exploit this vulnerability to obtain limited shell access. This enables persistence mechanisms such as reverse shells, along with the capability to modify or remove data stored in the file system.

Mitigation details are outlined in advisories including ICSA-26-006-01 from CISA (https://www.cisa.gov/news-events/ics-advisories/icsa-26-006-01) and the corresponding CSAF document (https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-006-01.json). The vulnerability was published on 2026-01-07.

EU & UK References

Vulnerability details

An unused webshell in MicroServer allows unlimited login attempts, with sudo rights on certain files and directories. An attacker with admin access to MicroServer can gain limited shell access, enabling persistence through reverse shells, and the ability to modify or…

more

remove data stored in the file system.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
T1110 Brute Force Credential Access
Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained.
T1548.003 Sudo and Sudo Caching Privilege Escalation
Adversaries may perform sudo caching and/or use the sudoers file to elevate privileges.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Unused webshell with unlimited login attempts directly enables T1505.003 (Web Shell) and T1110 (Brute Force); granted sudo rights map to T1548.003; limited shell access for reverse shells/persistence maps to T1059.004.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-61939Same product: Columbiaweather Weather Microserver

Affected Assets

columbiaweather
weather microserver firmware
≤ MS_4.1_14142

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely remediation of the webshell vulnerability through patching or updates to eliminate unlimited login attempts and sudo access.

prevent

Directly counters unlimited login attempts to the webshell by enforcing lockout after a defined number of unsuccessful logons.

prevent

Prevents exploitation by configuring the system to disable or remove unused webshells and non-essential functions granting sudo rights.

References