Latest Smartbedded Meteobridge vulnerability: CVE-2025-4008 #
Smartbedded has disclosed a command injection vulnerability in the management web interface endpoint /public/template.cgi of its Meteobridge. This flaw is the result of improper neutralization of the user-supplied query string being parsed and used unsanitized in an eval call. Successful exploitation allows a remote (adjacent), unauthenticated adversary to execute arbitrary commands with the elevated privileges of the root user on affected devices. This vulnerability has been designated CVE-2025-4008 and has been rated high with a CVSS score of 8.8. There is evidence that this vulnerability is being actively exploited in the wild.
The following versions are affected
- Meteobridge versions prior to 6.2
What is the impact? #
Successful exploitation of these vulnerabilities would allow an adversary to execute arbitrary commands on the vulnerable host, potentially leading to complete system compromise.
Are updates or workarounds available? #
Users are encouraged to update to the latest version as quickly as possible:
- Meteobridge upgrade to version 6.2 or later
How to find potentially vulnerable systems with runZero #
From the Service inventory, use the following query to locate potentially vulnerable assets:
_asset.protocol:http AND protocol:http AND http.head.wwwAuthenticate:="Basic realm=%MeteoBridge%"