CVE-2025-64305
7.1
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Summary
MicroServer copies parts of the system firmware to an unencrypted external SD card on boot, which contains user and vendor secrets. An attacker can utilize these plaintext secrets to modify the vendor firmware, or gain admin access to the web portal.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Columbia Weather Systems | MicroServer | 0 < MS_4.1_14142 | affected |
Weaknesses
- CWE-313: CWE-313 Cleartext Storage in a File or on Disk
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://www.cisa.gov/news-events/ics-advisories/icsa-26-006-01
- https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-006-01.json
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.