CVE-2025-62193
NOAA PMEL Live Access Server (LAS) PyFerret command injection
Sites running NOAA PMEL Live Access Server (LAS) are vulnerable to remote code execution via specially crafted requests that include PyFerret expressions. By leveraging a SPAWN command, a remote, unauthenticated attacker can execute arbitrary OS commands. Fixed in a version of 'gov.noaa.pmel.tmap.las.filter.RequestInputFilter.java' from 2025-09-24.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Productos afectados
National Oceanic and Atmospheric Administration (NOAA) · Live Access Server (LAS)¿Quieres saber si tu infraestructura está expuesta a esto?
Hablar con TrueHacking →Referencias
https://github.com/NOAA-PMEL/LAS/blob/main/README.mdhttps://github.com/NOAA-PMEL/LAS/commit/de5f9237bfd4ac5085bcc49a6e30bbc9507ddb29https://github.com/NOAA-PMEL/LAS/commit/e69afb1898ae7e69f3e047513fc1e5570373912bhttps://github.com/NOAA-PMEL/LAS/compare/b4b7306..de5f923https://github.com/NOAA-PMEL/LAS/tree/mainhttps://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-26-015-01.jsonhttps://www.cve.org/CVERecord?id=CVE-2025-62193