A critical vulnerability has been discovered in multiple Kapsch TrafficCom products where a powerful developer tool, the Android Debug Bridge (ADB), was left pre-installed. This oversight could allow an unauthenticated attacker with network access to gain complete administrative control over the affected traffic management systems, potentially leading to significant disruption of critical infrastructure and posing a public safety risk.

The affected versions of the Kapsch TrafficCom Roadside Units (RSUs) were shipped with the Android Debug Bridge (ADB) binary located at /mnt/c3platpersistent/opt/platform-tools/adb. ADB is a versatile command-line tool used for debugging, and its presence on a production device constitutes a significant security risk. If the ADB service is enabled and exposed to the network (typically on TCP port 5555), an attacker can connect to the device without authentication and gain privileged shell access. This allows the attacker to execute arbitrary commands, install malicious software, access or modify sensitive data, and achieve full administrative control over the device's underlying operating system.

This vulnerability is rated as critical severity with a CVSS score of 9.8, reflecting the potential for complete system compromise with low attack complexity. Successful exploitation could grant an attacker full control over critical traffic infrastructure components. The consequences include the ability to manipulate traffic flow, disable safety systems, display false information, or cause widespread network outages. Such actions pose a direct threat to public safety, could lead to significant economic disruption, and may result in a loss of public trust and severe reputational damage to the operating authority.

Immediate Action: Apply the vendor-supplied security patches immediately. Per the vendor's guidance, update all affected Kapsch TrafficCom Multiple Products to the latest version, which removes the vulnerable component. Following the update, actively monitor for any residual signs of compromise and review system access logs for any suspicious activity preceding the patch.

Proactive Monitoring: Implement enhanced monitoring on network segments containing the affected devices. Specifically, monitor for and alert on any network traffic on TCP port 5555, the default port for ADB. Review device logs for unauthorized access, unexpected reboots, new running processes, or any commands indicative of shell access.

Compensating Controls: If immediate patching is not possible, implement the following controls to reduce the risk of exploitation:

• Network Segmentation: Isolate the affected RSUs from the internet and other non-essential corporate or IT networks.
• Firewall Rules: Deploy strict firewall rules to explicitly block all inbound and outbound traffic to TCP port 5555 on the affected devices from any untrusted source.
• Access Control Lists (ACLs): Restrict network access to the devices' management interfaces to a limited set of authorized administrative hosts.

Public Exploit Available: false

Given the critical CVSS score of 9.8 and the potential for complete compromise of critical infrastructure, we strongly recommend that organizations prioritize patching all affected Kapsch TrafficCom devices immediately. Although this vulnerability is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog, its high severity and potential impact on public safety warrant urgent attention. If patching cannot be performed immediately, the compensating controls outlined above must be implemented as a temporary measure to mitigate the immediate risk.