Roland Schweitzer

CVE-2025-62193 WRITEUP CRITICAL WRITEUP

NOAA Live Access Server - Unauthenticated Remote Code Execution via PyFerret SPAWN Command

Sites running NOAA PMEL Live Access Server (LAS) are vulnerable to remote code execution via specially crafted requests that include PyFerret expressions. By leveraging a SPAWN command, a remote, unauthenticated attacker can execute arbitrary OS commands. Fixed in a version of 'gov.noaa.pmel.tmap.las.filter.RequestInputFilter.java' from 2025-09-24.

CVSS 9.8

View Code

CVE-2025-62193 WRITEUP CRITICAL WRITEUP

NOAA Live Access Server - Unauthenticated Remote Code Execution via PyFerret SPAWN Command

Sites running NOAA PMEL Live Access Server (LAS) are vulnerable to remote code execution via specially crafted requests that include PyFerret expressions. By leveraging a SPAWN command, a remote, unauthenticated attacker can execute arbitrary OS commands. Fixed in a version of 'gov.noaa.pmel.tmap.las.filter.RequestInputFilter.java' from 2025-09-24.

CVSS 9.8

View Code