A critical vulnerability has been identified in multiple Radiometrics VizAir products, allowing unauthenticated remote attackers to gain complete administrative control. This flaw, tracked as CVE-2025-61956, stems from a total lack of authentication for critical functions, enabling attackers to modify system configurations and access sensitive data without credentials. Due to the ease of exploitation and maximum potential impact, this vulnerability has been assigned the highest possible CVSS score of 10.0.

The vulnerability exists because the software fails to implement any authentication mechanism for critical administrative functions and API endpoints. A remote, unauthenticated attacker can directly interact with these sensitive interfaces by sending specially crafted HTTP requests. This allows the attacker to perform privileged actions such as modifying system configurations, creating or deleting user accounts, shutting down services, or potentially executing arbitrary commands, leading to a full system compromise.

This vulnerability represents a critical severity risk to the organization, reflected by its CVSS score of 10.0. Successful exploitation would grant an attacker complete administrative control over the affected Radiometrics VizAir systems. The potential consequences include unauthorized access to and exfiltration of sensitive data, service disruption or complete system outage, and reputational damage. An attacker could also use the compromised system as a pivot point to launch further attacks against the internal network, significantly expanding the scope of the breach.

Immediate Action: Organizations must immediately update affected Radiometrics VizAir products to the latest version as recommended by the vendor. This is the primary and most effective method to resolve the vulnerability. Before and after patching, system administrators should review access logs for any signs of unauthorized configuration changes or access.

Proactive Monitoring: Implement enhanced monitoring on affected systems. Security teams should look for unusual or unauthorized API requests, especially those targeting administrative functions, originating from untrusted internal or external IP addresses. Monitor system configurations for any unexpected changes and audit user accounts for unauthorized additions or modifications.

Compensating Controls: If immediate patching is not feasible, implement compensating controls to reduce the risk of exploitation. Restrict network access to the administrative interfaces and APIs of the affected devices using firewalls or network segmentation. Allow access only from a dedicated, trusted management network or specific IP addresses. If possible, place the device behind a Web Application Firewall (WAF) with rules designed to block direct, unauthenticated access to sensitive API endpoints.

Public Exploit Available: false

Due to the critical nature and maximum CVSS score of 10.0, this vulnerability requires immediate attention. The primary recommendation is to apply the vendor-supplied patches to all affected Radiometrics VizAir systems without delay. Although this CVE is not currently on the CISA KEV list, its severity makes it a prime candidate for future inclusion and a top priority for remediation. Organizations should assume they are being targeted and, in addition to patching, implement the recommended compensating controls and proactive monitoring to defend against potential exploitation attempts.