HIGH🇵🇱 Wersja polska

CVE-2025-61939

CVSS 8.7v4.0pub. 2026-01-07upd. 2026-01-22

An unused function in MicroServer can start a reverse SSH connection to a vendor registered domain, without mutual authentication. An attacker on the local network with admin access to the web server, and the ability to manipulate DNS responses, can redirect the SSH connection to an attacker controlled device.

CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Columbiaweather Weather Microserver

    HW
    Columbiaweather
    wszystkie wersje
  • Columbiaweather Weather Microserver Firmware

    OS
    Columbiaweather
    < MS_4.1_14142
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2025-66620HIGH8.6ten sam produkt

An unused webshell in MicroServer allows unlimited login attempts, with sudo rights on certain files and direc...

CVE-2018-18877HIGH8.8ten sam produkt

In firmware version MS_2.6.9900 of Columbia Weather MicroServer, an authenticated web user can access an alter...

CVE-2018-18878HIGH7.5ten sam produkt

In firmware version MS_2.6.9900 of Columbia Weather MicroServer, the BACnet daemon does not properly validate ...

CVE-2018-18879HIGH8.8ten sam produkt

In firmware version MS_2.6.9900 of Columbia Weather MicroServer, an authenticated web user can pipe commands d...

CVE-2018-18876MEDIUM5.3ten sam produkt

In firmware version MS_2.6.9900 of Columbia Weather MicroServer, a readouts_rd.php directory traversal issue m...