Command Injection in Meteobridge Web Interface (CVE-2025-4008)
CVE-2025-4008 Published on May 21, 2025
Arbitrary Command Injection in Smartbedded MeteoBridge
The Meteobridge web interface let meteobridge administrator manage their weather station data collection and administer their meteobridge system through a web application written in CGI shell scripts and C.
This web interface exposes an endpoint that is vulnerable to command injection.
Remote unauthenticated attackers can gain arbitrary command execution with elevated privileges ( root ) on affected devices.
Known Exploited Vulnerability
This Smartbedded Meteobridge Command Injection Vulnerability is part of CISA's list of Known Exploited Vulnerabilities. Smartbedded Meteobridge contains a command injection vulnerability that could allow remote unauthenticated attackers to gain arbitrary command execution with elevated privileges (root) on affected devices.
The following remediation steps are recommended / required by October 23, 2025: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Timeline
Notification email sent to info@smartbedded.com
Notification email sent to info@smartbedded.com 21 days later.
Notification email sent to info@smartbedded.com 23 days later.
Notification email sent to info@smartbedded.com 5 days later.
ONEKEY posts a message on MeteoBridge support forum
MeteoBridge support forum administrator delets the forum post and account. 1 day later.
ONEKEY notifies the German BSI 16 days later.
Smartbedded notifies the German BSI of a patch being available (version 6.2) 17 days later.
CVE publication 7 days later.
Weakness Types
What is a Command Injection Vulnerability?
The software constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
CVE-2025-4008 has been classified to as a Command Injection vulnerability or weakness.
Missing Authentication for Critical Function
The software does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Affected Versions
Smartbedded MeteoBridge:- Before and including 6.1 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.