CVE-2025-1077

07.02.2025, 09:15

A security vulnerability has been identified in the IBL Software Engineering Visual Weather and derived products (NAMIS, Aero Weather, Satellite Weather).The vulnerability is present in the Product Delivery Service (PDS) component in specific server configurations where the PDS pipeline utilizes the IPDS pipeline with Message Editor Output Filters enabled.

A remoteunauthenticated

attacker can exploit this vulnerability to send unauthenticated requests to execute the IPDSpipelinewith specially crafted Form Properties, enabling remote execution of arbitrary Python code.This vulnerability could lead to a full system compromise of the affected server, particularly if Visual Weather servicesare run under a privileged user accountcontrary to the documented installation best practices.

Upgrade to the patched versions 7.3.10 (or higher), 8.6.0 (or higher).

Provider	Type	Base Score	Vector
NIST	NIST	UNKNOWN	---
SK-CERT	CNA	---	---
CISA-ADP	ADP	---	---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 61%

Common Weakness Enumeration

CWE-20 - Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References

https://www.iblsoft.com/security/advisory-isec-2024-001/