Security firm ONEKEY, which discovered and reported the flaw in February 2025, explained that the Meteobridge web application, built using CGI shell scripts and C, exposes a script called template.cgi through the /cgi-bin/template.cgi directory. This script’s insecure use of eval makes it possible for attackers to inject malicious commands through specially crafted requests.
For instance, attackers could use commands like:
curl -i -u meteobridge: meteobridge \
'https://192.168.88.138/cgi-bin/template.cgi?$(id>/tmp/a)=whatever'
Since the CGI script is hosted in a public directory without authentication requirements, exploitation does not demand valid credentials. Security researcher Quentin Kaiser noted that attackers could even trigger this remotely by embedding malicious requests into web pages and tricking victims into clicking links or loading hidden image tags.
Patch and Exploitation Status
As of now, there are no detailed public reports describing real-world attacks. However, Meteobridge version 6.2, released on May 13, 2025, has patched the vulnerability. Users are strongly advised to update immediately to reduce exposure.
Additional Flaws Added to KEV
CISA has also included several other high-risk vulnerabilities in the KEV catalog, including:
- CVE-2025-21043 (CVSS 8.8) – Samsung mobile devices vulnerable to out-of-bounds write in libimagecodec.quram.so, potentially allowing remote code execution.
- CVE-2017-1000353 (CVSS 9.8) – Jenkins deserialization flaw that enables unauthenticated remote code execution, bypassing denylist protections.
- CVE-2015-7755 (CVSS 9.8) – Juniper ScreenOS improper authentication issue allowing unauthorized administrative access.
- CVE-2014-6278 (CVSS 8.8), known as Shellshock – GNU Bash command injection bug that permits arbitrary code execution via crafted environment variables.
Federal Requirements
In response to active exploitation, Federal Civilian Executive Branch (FCEB) agencies must apply patches and mitigations by October 23, 2025. Private organizations using Meteobridge or affected systems are also urged to prioritize updates to strengthen their security posture.
