CVE-2025-4008
Arbitrary Command Injection in Smartbedded MeteoBridge
We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.
Please see our statement on Data Privacy.
Arbitrary Command Injection in Smartbedded MeteoBridge
The Meteobridge web interface let meteobridge administrator manage their weather station data collection and administer their meteobridge system through a web application written in CGI shell scripts and C. This web interface exposes an endpoint that is vulnerable to command injection. Remote unauthenticated attackers can gain arbitrary command execution with elevated privileges ( root ) on affected devices.
Reserved 2025-04-27 | Published 2025-05-21 | Updated 2025-05-23 | Assigner ONEKEYCWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE-306 Missing Authentication for Critical Function
| 2025-02-25: | Notification email sent to info@smartbedded.com |
| 2025-03-18: | Notification email sent to info@smartbedded.com |
| 2025-04-10: | Notification email sent to info@smartbedded.com |
| 2025-04-15: | Notification email sent to info@smartbedded.com |
| 2025-04-10: | ONEKEY posts a message on MeteoBridge support forum |
| 2025-04-11: | MeteoBridge support forum administrator delets the forum post and account. |
| 2025-04-27: | ONEKEY notifies the German BSI |
| 2025-05-14: | Smartbedded notifies the German BSI of a patch being available (version 6.2) |
| 2025-05-21: | CVE publication |
ONEKEY Research Labs
www.onekey.com/...n-on-smartbedded-meteobridge-cve-2025-4008
forum.meteohub.de/viewtopic.php?t=18687
Support options
