Kapsch TrafficCom RIS-9160 & RIS-9260 Roadside Units (RSUs) v3.2.0.829.23, v3.8.0.1119.42, and v4.6.0.1211.28 were discovered to lack secure password...
Description
Kapsch TrafficCom RIS-9160 & RIS-9260 Roadside Units (RSUs) v3.2.0.829.23, v3.8.0.1119.42, and v4.6.0.1211.28 were discovered to lack secure password requirements for its BIOS Supervisor and User acco...
AI Analyst Comment
Remediation
Update Kapsch TrafficCom Multiple Products to the latest version. Monitor for exploitation attempts and review access logs.
Executive Summary:
A critical vulnerability exists in Kapsch TrafficCom Roadside Units (RSUs) due to insecure password requirements for low-level BIOS accounts. This flaw could allow an attacker to gain complete control over the affected traffic management hardware, potentially leading to significant disruption of transportation systems, manipulation of traffic data, and risks to public safety.
Vulnerability Details
CVE-ID: CVE-2025-25737
Affected Software: Kapsch TrafficCom Multiple Products
Affected Versions: RIS-9160 & RIS-9260 Roadside Units (RSUs) versions v3.2.0.829.23, v3.8.0.1119.42, and v4.6.0.1211.28
Vulnerability: The affected Kapsch TrafficCom RSUs do not enforce complexity, length, or rotation requirements for the BIOS Supervisor and User passwords. This weakness allows for the use of weak, default, or easily guessable credentials. An attacker with either physical access or, more critically, remote access to a management interface that exposes BIOS settings, could exploit this by brute-forcing or guessing the password. Successful exploitation grants the attacker privileged access to the BIOS/UEFI firmware, allowing them to alter boot sequences, disable security features, or install malicious firmware, leading to a persistent and complete compromise of the device.
Business Impact
This vulnerability is rated as critical severity with a CVSS score of 9.8. Exploitation could have a severe impact on business operations and public safety. As these RSUs are critical components of intelligent transportation systems (ITS), their compromise could lead to widespread traffic disruption, the transmission of false information to vehicles and traffic management centers, and potential for creating hazardous road conditions. The reputational damage to the organization and the potential for physical harm make this a high-priority risk that could also serve as an entry point for broader attacks against municipal or regional network infrastructure.
Remediation Plan
Immediate Action: Immediately apply the security updates provided by Kapsch TrafficCom to patch the affected Roadside Units to the latest recommended version. After patching, review all system and access logs for any signs of unauthorized access or anomalous activity preceding the update.
Proactive Monitoring: Implement enhanced monitoring for the affected devices. Specifically, monitor for an unusual number of failed login attempts to management interfaces, unexpected system reboots, unauthorized configuration changes (especially to boot settings), and anomalous outbound network traffic originating from the RSUs that could indicate a compromise.
Compensating Controls: If immediate patching is not feasible, implement the following controls:
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of Aug 26, 2025, there are no known public exploits or active exploitation campaigns targeting this vulnerability. However, vulnerabilities in critical infrastructure components like RSUs are attractive targets for sophisticated threat actors. The exploit method would likely involve credential guessing or the use of default passwords, which is a common technique.
Analyst Recommendation
Given the critical CVSS score of 9.8 and the potential for severe impact on public safety, this vulnerability requires immediate attention. We strongly recommend that organizations prioritize the deployment of the vendor-supplied patches across all affected Kapsch TrafficCom RSUs without delay. Although this CVE is not currently listed on the CISA KEV list, its critical nature warrants treating it with the highest urgency. If patching cannot be performed immediately, the compensating controls listed above should be implemented as an interim risk mitigation measure.