CVE-2025-4008

Arbitrary Command Injection in Smartbedded MeteoBridge

CVSS 8.7 HIGHEPSS 93.9%● KEVCWE-306 CWE-77

In short

The Meteobridge weather station system has a web interface flaw that lets attackers run any command on the device without logging in. This gives attackers complete control over the weather station and the system it runs on.

Technical detail

An unauthenticated endpoint in the Meteobridge CGI-based web interface is vulnerable to OS command injection (CWE-77), lacking proper input validation on user-supplied parameters. Successful exploitation allows remote attackers to execute arbitrary commands with root privileges, bypassing authentication controls (CWE-306), resulting in complete system compromise.

Summary generated and translated by AI from the official description.

The Meteobridge web interface let meteobridge administrator manage their weather station data collection and administer their meteobridge system through a web application written in CGI shell scripts and C. This web interface exposes an endpoint that is vulnerable to command injection. Remote unauthenticated attackers can gain arbitrary command execution with elevated privileges ( root ) on affected devices.

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected products

Smartbedded · MeteoBridge

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://forum.meteohub.de/viewtopic.php?t=18687 https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-4008 https://www.onekey.com/resource/security-advisory-remote-command-execution-on-smartbedded-meteobridge-cve-2025-4008