A critical vulnerability exists in Kapsch TrafficCom Roadside Units (RSUs) due to insecure password requirements for low-level BIOS accounts. This flaw could allow an attacker to gain complete control over the affected traffic management hardware, potentially leading to significant disruption of transportation systems, manipulation of traffic data, and risks to public safety.

The affected Kapsch TrafficCom RSUs do not enforce complexity, length, or rotation requirements for the BIOS Supervisor and User passwords. This weakness allows for the use of weak, default, or easily guessable credentials. An attacker with either physical access or, more critically, remote access to a management interface that exposes BIOS settings, could exploit this by brute-forcing or guessing the password. Successful exploitation grants the attacker privileged access to the BIOS/UEFI firmware, allowing them to alter boot sequences, disable security features, or install malicious firmware, leading to a persistent and complete compromise of the device.

This vulnerability is rated as critical severity with a CVSS score of 9.8. Exploitation could have a severe impact on business operations and public safety. As these RSUs are critical components of intelligent transportation systems (ITS), their compromise could lead to widespread traffic disruption, the transmission of false information to vehicles and traffic management centers, and potential for creating hazardous road conditions. The reputational damage to the organization and the potential for physical harm make this a high-priority risk that could also serve as an entry point for broader attacks against municipal or regional network infrastructure.

Immediate Action: Immediately apply the security updates provided by Kapsch TrafficCom to patch the affected Roadside Units to the latest recommended version. After patching, review all system and access logs for any signs of unauthorized access or anomalous activity preceding the update.

Proactive Monitoring: Implement enhanced monitoring for the affected devices. Specifically, monitor for an unusual number of failed login attempts to management interfaces, unexpected system reboots, unauthorized configuration changes (especially to boot settings), and anomalous outbound network traffic originating from the RSUs that could indicate a compromise.

Compensating Controls: If immediate patching is not feasible, implement the following controls:

• Manually access the BIOS on each device and set a strong, unique password for both the Supervisor and User accounts.
• Ensure the devices are protected by a firewall and that access to any remote management ports is strictly limited to trusted IP addresses and networks.
• Restrict physical access to the RSUs to authorized personnel only.
• Segment the network to isolate the RSUs from less secure parts of the corporate or public network.

Public Exploit Available: false

Given the critical CVSS score of 9.8 and the potential for severe impact on public safety, this vulnerability requires immediate attention. We strongly recommend that organizations prioritize the deployment of the vendor-supplied patches across all affected Kapsch TrafficCom RSUs without delay. Although this CVE is not currently listed on the CISA KEV list, its critical nature warrants treating it with the highest urgency. If patching cannot be performed immediately, the compensating controls listed above should be implemented as an interim risk mitigation measure.