All CISA Advisories, EN

Columbia Weather Systems MicroServer

2026-01-06 22:01

Summary

Successful exploitation of these vulnerabilities could allow an attacker to redirect the SSH connection to an attacker controlled device, gain admin access to the web portal, and gain limited shell access.

The following versions of Columbia Weather Systems MicroServer are affected:

MicroServer firmware (CVE-2025-61939, CVE-2025-64305, CVE-2025-66620)

CVSS	Vendor	Equipment	Vulnerabilities
v3 8.8	Columbia Weather Systems	Columbia Weather Systems MicroServer	Improper Restriction of Communication Channel to Intended Endpoints, Cleartext Storage in a File or on Disk, Command Shell in Externally Accessible Directory

Background

Critical Infrastructure Sectors: Information Technology
Countries/Areas Deployed: United States
Company Headquarters Location: United States

Vulnerabilities

CVE-2025-61939

An unused function in the MicroServer can start a reverse ssh connection to a vendor registered domain, without mutual authentication. An attacker on the local network with admin access to the web server, and the ability to manipulate DNS responses, can redirect the SSH connection to an attacker controlled device.

View CVE Details

Affected Products

Columbia Weather Systems MicroServer

Vendor:
Columbia Weather Systems

Product Version:
Columbia Weather Systems MicroServer firmware: <MS_4.1_14142

Product Status:
known_affected

Remediations

[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.

This article has been indexed from All CISA Advisories

Read the original article:

Columbia Weather Systems MicroServer

Share this:
Facebook
X
LinkedIn
Like this:
Like Loading...

Related

Tags: All CISA Advisories EN

Post navigation

← Ransomware trends, statistics and facts in 2026

IT Security News Hourly Summary 2026-01-06 21h : 3 posts →

Search for:
Pages

Advertising

Contact

Legal and Contact information

Opt-out preferences

Privacy Policy

Social Media

Apps

Telegram Channel

Recent Posts

900,000 Users Hit as Malicious Chrome Extensions Steal ChatGPT, DeepSeek Chats January 8, 2026

Grok Is Generating Sexual Content Far More Graphic Than What’s on X January 8, 2026

Ni8mare flaw gives unauthenticated control of n8n instances January 8, 2026

Chinese Hackers Use NFC-Enabled Android Malware to Steal Payment Information January 7, 2026

CrazyHunter Ransomware Targets Healthcare Sector Using Sophisticated Evasion Tactics January 7, 2026

Windows Packer pkr_mtsi Powers Widespread Malvertising Campaigns with Multiple Malware January 7, 2026

Critical n8n Vulnerability Allows Authenticated Remote Code Execution January 7, 2026

Hackers Using Malicious QR Codes for Phishing via HTML Table January 7, 2026

Hackers Using Malicious Imageless QR Codes to Render Phishing Attack Via HTML Table January 7, 2026

IT Security News Hourly Summary 2026-01-07 21h : 3 posts January 7, 2026

Critical n8n Vulnerability Enables Authenticated RCE January 7, 2026

CISA Adds Two Known Exploited Vulnerabilities to Catalog January 7, 2026

Randall Munroe’s XKCD ‘Fishing’ January 7, 2026

CISO’s guide to nonhuman identity security January 7, 2026

ESA calls cops as crims lift off 500 GB of files, say security black hole still open January 7, 2026

Windows Packer pkr_mtsi Powers Widespread Malvertising Campaigns Delivering Multiple Malware Families January 7, 2026

Stalkerware slinger pleads guilty for selling snooper software to suspicious spouses January 7, 2026

NDSS 2025 – Automatic Insecurity: Exploring Email Auto-configuration In The Wild January 7, 2026

Why AI Changes the Risk Model for Application Security January 7, 2026

Fighting Deep Fakes: Think Like the Attacker January 7, 2026

Copyright © 2026 IT Security News. All Rights Reserved. The Magazine Basic Theme by bavotasan.com.

Manage Consent

To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.

Functional Functional Always active

The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.

Preferences Preferences

The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.

Statistics Statistics

The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.

Marketing Marketing

The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.

Manage options

Manage services

Manage {vendor_count} vendors

Read more about these purposes

View preferences

{title}

{title}

{title}