Radiometrics VizAir is vulnerable to a lack of authentication mechanisms for critical functions, such as admin access and API requests. Attackers can modify configurations without authentication, potentially manipulating active runway settings and misleading air traffic control (ATC) and pilots. Additionally, manipulated meteorological data could mislead forecasters and ATC, causing inaccurate flight planning.
An attacker without any credentials can gain access to the administrative panel and invoke API requests to the VizAir system. The lack of authentication mechanisms (CWE-306) allows unauthorized modification of system configuration, including active runway settings and meteorological data. The manipulated data can then be presented to air traffic controllers (ATC) and pilots as reliable operational information.
An attacker can remotely and without authentication modify the system configuration, falsify runway status data, and manipulate meteorological data, which may mislead air traffic controllers (ATC), pilots, and meteorologists, leading to incorrect flight planning and potential aviation safety threats.
Apply patches available from the vendor in accordance with the references (CISA ICS Advisory ICSA-25-308-04: https://www.cisa.gov/news-events/ics-advisories/icsa-25-308-04). Until patches are deployed, it is recommended to isolate the system from public networks, restrict network access to a minimum, and apply additional access control mechanisms at the network level (firewall, VPN).
Radiometrics VizAir — versions specified in the vendor references (advisory ICSA-25-308-04)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XRadiometrics Vizair
APPRadiometrics< 2025-08