A critical vulnerability has been discovered in multiple Radiometrics VizAir products, identified as CVE-2025-54863. The flaw exposes a sensitive system REST API key in a publicly accessible configuration file, allowing an unauthenticated remote attacker to gain full administrative control, alter critical weather data, and modify system configurations. Due to the ease of exploitation and severe impact, immediate remediation is required to prevent data manipulation and system compromise.

The vulnerability exists due to improper access control on a system configuration file. This file, which is accessible to the public over the internet, contains the hardcoded REST API key for the Radiometrics VizAir system. A remote, unauthenticated attacker can simply browse to the known location of this file, retrieve the API key, and use it to make authenticated requests to the system's API, granting them the ability to read, create, modify, or delete weather data and system settings.

This vulnerability is rated as critical severity with a CVSS score of 10. Exploitation could have a severe business impact, as it allows for the complete compromise of the system's integrity and availability. An attacker could maliciously alter weather data, leading to incorrect forecasts and potentially impacting safety-critical operations that rely on this information (e.g., aviation, agriculture, emergency services). The ability to change system configurations could also lead to a denial-of-service condition or be used to pivot further into the network, posing a significant risk to operational continuity, data integrity, and organizational reputation.

Immediate Action:

• Immediately apply the security update provided by the vendor to patch all affected Radiometrics VizAir products to the latest version.
• After patching, verify that the configuration file is no longer publicly accessible.
• Review system and access logs for any signs of unauthorized API activity or access to the sensitive configuration file prior to patching.

Proactive Monitoring:

• Monitor web server logs for requests to the specific configuration file path from untrusted or unusual IP addresses.
• Audit API logs for any unexpected or unauthorized configuration changes or data manipulation.
• Implement alerts for high-volume API requests or modifications originating from a single source.

Compensating Controls:

• If immediate patching is not feasible, implement a rule on the web server or a Web Application Firewall (WAF) to block all external access to the specific configuration file.
• Restrict access to the REST API endpoint to trusted IP addresses only.
• If possible, regenerate the API key after ensuring the system is no longer vulnerable.

Public Exploit Available: false

Given the critical CVSS score of 10 and the potential for severe operational impact, it is imperative that organizations patch all affected Radiometrics VizAir systems immediately. The ease of exploitation makes these systems a high-value target for threat actors. While this CVE is not yet on the CISA KEV list, its severity warrants treating it with the highest priority. If patching cannot be performed immediately, the compensating controls outlined above should be implemented without delay to reduce the attack surface.