CVE-2025-25733 is a vulnerability identified in the SPI Flash Chip of Kapsch TrafficCom RIS-9160 and RIS-9260 Roadside Units (RSUs), specifically affecting firmware versions v3.2.0.829.23, v3.8.0.1119.42, and v4.6.0.1211.28. The core issue is an incorrect access control mechanism that allows an attacker with physical proximity to the device to arbitrarily modify regions of the SPI flash memory. The SPI flash chip typically stores critical firmware, configuration data, and security parameters essential for the secure operation of the RSU. By exploiting this vulnerability, an attacker can alter or corrupt the firmware or configuration, potentially implanting malicious code, disabling security features, or causing device malfunction. This leads to a significant degradation of the device's security posture, undermining the integrity and availability of the RSU. Since the attack requires physical proximity, it is not remotely exploitable but remains a serious concern for roadside units deployed in publicly accessible or insufficiently secured locations. No known exploits are currently reported in the wild, and no official patches or mitigations have been published as of the vulnerability disclosure date. The absence of a CVSS score indicates that the severity assessment must consider the impact on confidentiality, integrity, and availability, the exploitation complexity, and the affected scope.

For European organizations, particularly those involved in intelligent transportation systems and smart city infrastructure, this vulnerability poses a significant risk. Roadside Units like the RIS-9160 and RIS-9260 are critical components in traffic management, tolling, and vehicle-to-infrastructure communication. Compromise of these devices could lead to manipulation of traffic data, disruption of toll collection, or interference with safety-critical communications, potentially causing traffic congestion, financial losses, or safety hazards. Additionally, the integrity loss could be leveraged to create backdoors or persistent threats within transportation networks. Given the physical access requirement, the threat is more pronounced in locations where RSUs are accessible to the public or insufficiently protected, such as urban areas or less secure roadside installations. The impact extends beyond individual devices to the broader transportation ecosystem, potentially affecting public safety and trust in smart infrastructure.

Mitigation should focus on both technical and physical security measures. First, European organizations should implement strict physical security controls around RSU installations, including tamper-evident enclosures, surveillance, and restricted access zones to prevent unauthorized physical proximity. Second, network segmentation and monitoring should be employed to detect anomalous behavior indicative of compromised RSUs. Third, organizations should engage with Kapsch TrafficCom to obtain firmware updates or patches addressing the access control flaw once available. In the interim, deploying integrity verification mechanisms such as cryptographic checksums or secure boot processes can help detect unauthorized firmware modifications. Additionally, regular physical inspections and audits of roadside units can identify signs of tampering early. Finally, incorporating redundancy in critical RSU deployments can mitigate the impact of compromised units by allowing failover to unaffected devices.