CVE-2025-25733 identifies an incorrect access control vulnerability in the SPI Flash Chip of Kapsch TrafficCom RIS-9160 and RIS-9260 Roadside Units (RSUs) running firmware versions 3.2.0.829.23, 3.8.0.1119.42, and 4.6.0.1211.28. The SPI flash memory stores critical firmware and configuration data essential for the RSU's operation and security. Due to improper access restrictions, an attacker with physical proximity can directly modify arbitrary regions of the SPI flash chip. This unauthorized modification capability can lead to degradation of the device's security posture by enabling firmware tampering, insertion of malicious code, or alteration of security-critical parameters. The vulnerability does not require authentication or user interaction but does require physical access, limiting remote exploitation. The CVSS v3.1 base score is 3.5 (low severity), reflecting limited impact on confidentiality and integrity, no impact on availability, and low attack vector scope (physical). No public exploits or patches are currently available, but the vulnerability is officially published and tracked under CWE-1233 (Improper Access Control). The affected devices are integral components of intelligent transportation systems, used for traffic monitoring and management, making their security critical to infrastructure resilience.

For European organizations, especially those managing smart city infrastructure and traffic control systems, this vulnerability poses a risk of physical tampering with roadside units. Unauthorized modification of SPI flash memory could allow attackers to alter firmware or configurations, potentially leading to incorrect traffic data reporting, disruption of traffic management, or covert insertion of backdoors for future attacks. Although the vulnerability requires physical access, roadside units are often deployed in publicly accessible locations, increasing the risk of exploitation. The impact on confidentiality and integrity could affect data accuracy and system trustworthiness, undermining traffic safety and operational efficiency. While availability is not directly impacted, compromised RSUs could indirectly cause traffic disruptions or safety hazards. The low CVSS score reflects the limited attack vector and impact scope, but the critical nature of transportation infrastructure elevates the importance of addressing this issue promptly.

1. Enhance physical security measures around RSU installations, including tamper-evident seals, locked enclosures, and surveillance cameras to deter and detect unauthorized access. 2. Implement regular physical inspections and integrity checks of RSUs to identify signs of tampering or unauthorized modifications. 3. Coordinate with Kapsch TrafficCom to obtain and apply firmware updates or patches addressing this vulnerability once released. 4. Employ cryptographic verification of firmware and configuration files to detect unauthorized changes to SPI flash contents. 5. Restrict physical access to RSUs to authorized personnel only, supported by access control policies and logging. 6. Integrate anomaly detection systems that monitor RSU behavior and alert on deviations potentially caused by firmware tampering. 7. Develop incident response plans specific to physical tampering scenarios involving RSUs to ensure rapid containment and recovery.