CVE-2025-1077

Feb. 7, 2025, 9:15 a.m.

None
No Score

Description

A security vulnerability has been identified in the IBL Software Engineering Visual Weather and derived products (NAMIS, Aero Weather, Satellite Weather). The vulnerability is present in the Product Delivery Service (PDS) component in specific server configurations where the PDS pipeline utilizes the IPDS pipeline with Message Editor Output Filters enabled. A remote unauthenticated attacker can exploit this vulnerability to send unauthenticated requests to execute the IPDS pipeline with specially crafted Form Properties, enabling remote execution of arbitrary Python code. This vulnerability could lead to a full system compromise of the affected server, particularly if Visual Weather services are run under a privileged user account—contrary to the documented installation best practices. Upgrade to the patched versions 7.3.10 (or higher), 8.6.0 (or higher).

Product(s) Impacted

Product Versions
IBL Software Engineering Visual Weather
  • ['7.3.10', '8.6.0']

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-20
Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References

https://www.iblsoft.com/security/advisory-isec-2024-001/

Tags

CWE-20
incident@nbu.gov.sk
2025-02-07
CVE-2025-1077

Timeline

Published: Feb. 7, 2025, 9:15 a.m.
Last Modified: Feb. 7, 2025, 9:15 a.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

incident@nbu.gov.sk

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.