CVE-2025-1077
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
Summary
A security vulnerability has been identified in the IBL Software Engineering Visual Weather and derived products (NAMIS, Aero Weather, Satellite Weather). The vulnerability is present in the Product Delivery Service (PDS) component in specific server configurations where the PDS pipeline utilizes the IPDS pipeline with Message Editor Output Filters enabled.
A remote unauthenticated
attacker can exploit this vulnerability to send unauthenticated requests to execute the IPDS pipeline with specially crafted Form Properties, enabling remote execution of arbitrary Python code. This vulnerability could lead to a full system compromise of the affected server, particularly if Visual Weather services are run under a privileged user account—contrary to the documented installation best practices.
Upgrade to the patched versions 7.3.10 (or higher), 8.6.0 (or higher).
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| IBL Software Engineering | Visual Weather | 8.2.5 | affected |
| IBL Software Engineering | Visual Weather | 7.3.9 | affected |
| IBL Software Engineering | Visual Weather | 7.3.6 (Enterprise Build) | affected |
| IBL Software Engineering | Visual Weather | 8.5.2 (Enterprise Build) | affected |
| IBL Software Engineering | NAMIS | 8.2.5 | affected |
| IBL Software Engineering | NAMIS | 7.3.9 | affected |
| IBL Software Engineering | NAMIS | 7.3.6 (Enterprise Build) | affected |
| IBL Software Engineering | NAMIS | 8.5.2 (Enterprise Build) | affected |
| IBL Software Engineering | Aero Weather | 8.2.5 | affected |
| IBL Software Engineering | Aero Weather | 7.3.9 | affected |
| IBL Software Engineering | Aero Weather | 7.3.6 (Enterprise Build) | affected |
| IBL Software Engineering | Aero Weather | 8.5.2 (Enterprise Build) | affected |
| IBL Software Engineering | Satellite Weather | 8.2.5 | affected |
| IBL Software Engineering | Satellite Weather | 7.3.9 | affected |
| IBL Software Engineering | Satellite Weather | 7.3.6 (Enterprise Build) | affected |
| IBL Software Engineering | Satellite Weather | 8.5.2 (Enterprise Build) | affected |
Weaknesses
- CWE-502: CWE-502 Deserialization of Untrusted Data
- CWE-20: CWE-20 Improper Input Validation
Workarounds
In order to mitigate the vulnerability: - Disable PDS pipelines utilizing IPDS pipelines in server configurations. - Enforce installation best practices by ensuring Visual Weather services are not run under a privileged user account. - Restrict network access to the PDS pipeline endpoint to trusted IP ranges only.
It is also recommended to contact IBL Support Team for more detailed security and server hardening guidelines.
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.