A critical vulnerability has been discovered in specific Kapsch TrafficCom Roadside Units, essential components of traffic management systems. The flaw allows an unauthenticated attacker to gain complete, low-level control of the device before its main operating system even starts, potentially leading to a total system compromise and disruption of critical transportation infrastructure.

The affected devices contain an unauthenticated Extensible Firmware Interface (EFI) shell. The EFI shell is a low-level command environment that runs before the primary operating system boots. An attacker with physical or remote access to the device's pre-boot environment can interrupt the normal boot sequence to access this shell without needing any credentials. From the EFI shell, an attacker can execute arbitrary commands with the highest privileges, allowing them to modify firmware, alter the bootloader, access or exfiltrate all data on the disk, or install persistent malware (e.g., a bootkit) that would be invisible to the running operating system.

This vulnerability is rated as critical severity with a CVSS score of 9.8, reflecting the high potential for complete system compromise with low attack complexity. Successful exploitation could lead to the full takeover of affected Roadside Units (RSUs), which are critical for traffic monitoring and control. The business impact includes severe disruption of traffic management services, potential manipulation of traffic signals or electronic signage leading to public safety risks, and the ability for attackers to use the compromised RSU as a pivot point to attack broader municipal or transportation networks. The reputational damage and potential liability from an incident affecting public infrastructure are significant.

Immediate Action: The primary remediation is to apply the vendor-supplied security patches immediately. Organizations should update Kapsch TrafficCom RIS-9160 and RIS-9260 RSUs to the latest version as recommended by the vendor. After patching, verify that the update was successful and the unauthenticated EFI shell is no longer accessible.

Proactive Monitoring: Monitor for signs of exploitation, including unexpected device reboots, unusual boot-up failures, or unauthorized changes to system configurations. Review access logs for the devices' management interfaces for any anomalous connection attempts. Network monitoring should be in place to detect unusual traffic patterns originating from the RSUs, which could indicate a compromise.

Compensating Controls: If patching cannot be performed immediately, implement the following controls to reduce risk:

• Ensure strict physical security controls are in place to prevent unauthorized access to the devices.
• Implement network segmentation to isolate the RSUs from public or non-essential corporate networks.
• Restrict all management interface access (e.g., SSH, web console, serial-over-LAN) to a limited set of authorized administrative hosts.
• Enable Secure Boot if the feature is available and properly configured to prevent the execution of unauthorized bootloaders.

Public Exploit Available: false

Given the critical CVSS score of 9.8 and the severe potential impact on public safety and critical infrastructure, this vulnerability requires immediate attention. Although CVE-2025-25734 is not currently on the CISA Known Exploited Vulnerabilities (KEV) catalog, organizations must not delay remediation. We strongly recommend that all affected Kapsch TrafficCom devices be patched on an emergency basis. If immediate patching is not feasible, the compensating controls outlined above, particularly network segmentation and access restriction, must be implemented without delay to mitigate the significant risk.