What is CVE-2025-61945?

CVE-2025-61945 is a Missing Authentication for Critical Function vulnerability with a CVSS score of 10.0. This vulnerability allows any remote attacker to access the admin panel of the VizAir system without authentication, providing complete administrative control over the aviation weather monitoring system.

What is CVE-2025-54863?

CVE-2025-54863 is an Insufficiently Protected Credentials vulnerability with a CVSS score of 10.0. This vulnerability exposes the system's REST API key through a publicly accessible configuration file, allowing attackers to remotely alter weather data and configurations, automate attacks against multiple VizAir instances, extract sensitive meteorological data, flood the system with false alerts leading to denial-of-service conditions, and gain unauthorized remote control over aviation weather monitoring systems.

What is CVE-2025-61956?

CVE-2025-61956 is a Missing Authentication for Critical Function vulnerability with a CVSS score of 10.0. This vulnerability allows attackers to modify configurations without authentication, manipulate active runway settings to mislead air traffic control and pilots, and alter meteorological data that could cause inaccurate flight planning and hazardous takeoff and landing conditions.

What is Radiometrics VizAir?

Radiometrics VizAir is an aviation weather monitoring system used at airports worldwide. The system provides critical weather data and meteorological information that air traffic control and pilots rely on for safe flight operations, including runway configuration decisions and flight planning.

Which versions of VizAir are affected by these vulnerabilities?

All versions of Radiometrics VizAir prior to August 2025 are affected by these three critical vulnerabilities. Radiometrics has performed updates on all affected VizAir systems and has resolved these vulnerabilities.

What can attackers do by exploiting the VizAir vulnerabilities?

By exploiting these vulnerabilities, attackers can access the admin panel without authentication, remotely alter weather data and configurations, manipulate active runway settings to mislead air traffic control and pilots, extract sensitive meteorological data, flood the system with false alerts leading to denial-of-service conditions, alter meteorological data that could cause inaccurate flight planning, and create hazardous takeoff and landing conditions with potentially catastrophic consequences for flight safety.

What is the severity level of the VizAir vulnerabilities?

All three VizAir vulnerabilities (CVE-2025-61945, CVE-2025-54863, and CVE-2025-61956) have a CVSS score of 10.0, which is the maximum severity rating. This indicates critical vulnerabilities that pose the highest level of risk and require immediate attention.

Do VizAir users need to take any action about these vulnerabilities?

According to the advisory, no further action is required from users as Radiometrics has already performed updates on all affected VizAir systems and deployed the patches. However, CISA recommends that organizations implement additional defensive measures such as network isolation and firewall protection to minimize the risk of exploitation.

What safety risks do the VizAir vulnerabilities pose?

The VizAir vulnerabilities could enable attackers to manipulate weather parameters, mislead air traffic control and pilots, cause disruption to airport operations, create inaccurate flight planning scenarios, and establish hazardous takeoff and landing conditions. These risks have potentially catastrophic consequences for flight safety at airports worldwide that use the VizAir system.

Advisory

Critical authentication vulnerabilities reported in Radiometrics VizAir aviation weather system

Q: Have the VizAir vulnerabilities been patched?

Yes, Radiometrics has performed updates on all affected VizAir systems and has resolved these vulnerabilities. According to the advisory, no further action is required from users as the patches have been deployed to all systems as of August 2025.

Q: What does CISA recommend for VizAir users?

Although patches have been deployed to all systems, CISA still recommends that organizations take additional defensive measures to minimize risk of exploitation. These include minimizing network exposure for all control system devices and ensuring they are not accessible from the internet, locating control system networks and remote devices behind firewalls, and isolating them from business networks.

published: Nov. 4, 2025

Take action: If you use Radiometrics VizAir aviation weather monitoring systems, verify with Radiometrics that your system received the automatic security updates that fix three maximum-severity flaws. And make sure that your systems are isolated from the internet and accessible only from trusted networks.

Learn More

CISA is reporting three critical security vulnerabilities affecting Radiometrics VizAir, an aviation weather monitoring system used at airports worldwide. These flaws could enable attackers to manipulate weather parameters, mislead air traffic control and pilots, and cause disruption to airport operations with potentially catastrophic consequences for flight safety.

Vulnerabilities summary:

CVE-2025-61945 (CVSS score 10) - Missing Authentication for Critical Function. This vulnerability allows any remote attacker to access the admin panel of the VizAir system without authentication.
CVE-2025-54863 (CVSS score 10) - Insufficiently Protected Credentials. This vulnerability exposes the system's REST API key through a publicly accessible configuration file, allowing attackers to remotely alter weather data and configurations, automate attacks against multiple VizAir instances, extract sensitive meteorological data, flood the system with false alerts leading to denial-of-service conditions, and gain unauthorized remote control over aviation weather monitoring systems.
CVE-2025-61956 (CVSS score 10) - Missing Authentication for Critical Function. This vulnerability allows attackers to modify configurations without authentication, manipulate active runway settings to mislead air traffic control and pilots, and alter meteorological data that could cause inaccurate flight planning and hazardous takeoff and landing conditions.

Affected versions are all versions of Radiometrics VizAir prior to August 2025.

Radiometrics has performed updates on all affected VizAir systems and has resolved these vulnerabilities. According to the advisory, no further action is required from users as the patches have been deployed to all systems. CISA still recommends that organizations take additional defensive measures to minimize risk of exploitation, including minimizing network exposure for all control system devices and ensuring they are not accessible from the internet, locating control system networks and remote devices behind firewalls and isolating them from business networks.

Critical authentication vulnerabilities reported in Radiometrics VizAir aviation weather system

Read More
Multiple Vulnerabilities Reported in EV2GO Charging Platform
Critical Authentication Bypass in End-of-Life Synectix LAN 232 …
Multiple critical vulnerabilities reported in Schneider Electric Modicon …
Critical Vulnerabilities in Apeman ID71 Cameras Allow Remote …
Smartbedded patches a command injection flaw in Meteobridge