CVE-2025-64305

Summary

MicroServer copies parts of the system firmware to an unencrypted external SD card on boot, which contains user and vendor secrets. An attacker can utilize these plaintext secrets to modify the vendor firmware, or gain admin access to the web portal.

Affected Software

VendorProductVersion RangeStatus
Columbia Weather SystemsMicroServer0 < MS_4.1_14142affected

Weaknesses

  • CWE-313: CWE-313 Cleartext Storage in a File or on Disk

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References