CISA Warns: Critical VizAir Flaws (CVSS 10.0) Expose Airport Weather Systems to Unauthenticated Manipulation
Ddos 
The Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical advisory detailing three vulnerabilities in the Radiometrics VizAir aviation weather monitoring system, warning that exploitation could allow attackers to manipulate meteorological data and runway configurations, potentially leading to hazardous flight conditions.
According to the advisory, “Successful exploitation of these vulnerabilities could allow attackers to manipulate critical weather parameters and runway settings, mislead air traffic control and pilots, extract sensitive meteorological data, and cause significant disruption to airport operations, leading to hazardous flight conditions.”
The vulnerabilities, tracked as CVE-2025-61945, CVE-2025-54863, and CVE-2025-61956, each received a CVSS v3.1 base score of 10.0, the maximum possible severity rating, underscoring the potential for catastrophic outcomes if exploited.
The affected product, Radiometrics VizAir (versions prior to August 2025), is a specialized atmospheric monitoring platform deployed in airport meteorological systems worldwide. VizAir provides real-time data on wind shear, temperature inversion, CAPE (Convective Available Potential Energy), and other parameters used in flight planning and runway management.
The first vulnerability (CVE-2025-61945) stems from unauthenticated access to the VizAir administrative panel, allowing attackers to directly modify or disable safety-critical data feeds.
“Radiometrics VizAir is vulnerable to any remote attacker via access to the admin panel of the VizAir system without authentication. Once inside, the attacker can modify critical weather parameters such as wind shear alerts, inversion depth, and CAPE values,” CISA wrote. “This unauthorized access could result in the disabling of vital alerts, causing hazardous conditions for aircraft, and manipulating runway assignments, which could result in mid-air conflicts or runway incursions.”
The second flaw (CVE-2025-54863) involves inadequately protected credentials within VizAir’s configuration files, which can be accessed remotely without authentication.
“Radiometrics VizAir is vulnerable to exposure of the system’s REST API key through a publicly accessible configuration file. This allows attackers to remotely alter weather data and configurations, automate attacks against multiple instances, and extract sensitive meteorological data,” the advisory states. “Additionally, attackers could flood the system with false alerts, leading to a denial-of-service condition and significant disruption to airport operations.”
The third vulnerability (CVE-2025-61956) mirrors the first but extends to API-level access, allowing remote actors to manipulate live configurations and telemetry data sent to air traffic control systems.
“Radiometrics VizAir is vulnerable to a lack of authentication mechanisms for critical functions, such as admin access and API requests,” CISA warned. “Attackers can modify configurations without authentication, potentially manipulating active runway settings and misleading air traffic control (ATC) and pilots.”
Radiometrics has already released updates addressing all three vulnerabilities. Users running VizAir systems should verify that their software has been updated to version 08/2025 or later and ensure that all instances are segmented from public networks and protected behind strong authentication mechanisms.
Donate