CVE-2025-54863 in VizAir
Summary
by MITRE • 11/04/2025
Radiometrics VizAir is vulnerable to exposure of the system's REST API key through a publicly accessible configuration file. This allows attackers to remotely alter weather data and configurations, automate attacks against multiple instances, and extract sensitive meteorological data, which could potentially compromise airport operations. Additionally, attackers could flood the system with false alerts, leading to a denial-of-service condition and significant disruption to airport operations. Unauthorized remote control over aviation weather monitoring and data manipulation could result in incorrect flight planning and hazardous takeoff and landing conditions.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 11/12/2025
The vulnerability identified as CVE-2025-54863 affects Radiometrics VizAir systems, which are critical components in aviation weather monitoring and management. This weakness represents a severe configuration error that exposes sensitive system credentials through an improperly secured configuration file. The exposed REST API key creates a direct pathway for unauthorized actors to gain administrative access to the weather monitoring infrastructure, fundamentally compromising the integrity of aviation safety systems. Such a flaw directly violates security best practices for credential management and access control, as it demonstrates a failure to implement proper least privilege principles and secure configuration management.
The technical nature of this vulnerability aligns with CWE-798, which addresses the use of hardcoded credentials, and CWE-259, which covers weak password storage mechanisms. Attackers can exploit this exposure to remotely manipulate weather data and system configurations, effectively taking control of the aviation weather monitoring infrastructure. The REST API key serves as a critical authentication token that allows full administrative access to the system's core functionality, enabling attackers to modify weather parameters, adjust system settings, and potentially disrupt operational workflows. This exposure creates a persistent threat vector that remains active until the configuration file is properly secured or the API key is rotated.
The operational impact of this vulnerability extends far beyond simple data manipulation, creating significant risks to aviation safety and operational continuity. Unauthorized access to meteorological data could result in incorrect flight planning decisions, as pilots and air traffic controllers might rely on compromised weather information for critical operational decisions. The ability to flood the system with false alerts represents a potential denial-of-service condition that could overwhelm operators and potentially lead to real safety risks during critical weather events. This vulnerability could enable attackers to create hazardous conditions for flight operations by manipulating weather data that directly impacts takeoff and landing decisions, thereby violating fundamental aviation safety protocols.
Mitigation strategies must focus on immediate remediation of the exposed configuration file and implementation of comprehensive access control measures. Organizations should implement proper credential rotation procedures and ensure that API keys are dynamically generated and securely stored rather than hardcoded in configuration files. The system should be configured to restrict access to sensitive configuration files through proper file permissions and network segmentation. Additionally, implementing monitoring and alerting for unauthorized access attempts can help detect exploitation attempts. The vulnerability highlights the importance of following security frameworks such as NIST SP 800-53 and ISO 27001, which emphasize secure configuration management and access control as critical security controls for protecting operational technology systems. Regular security assessments and penetration testing should be conducted to identify similar configuration weaknesses in other system components.