CVE-2025-25734 is a critical vulnerability affecting Kapsch TrafficCom RIS-9160 and RIS-9260 Roadside Units (RSUs) across multiple firmware versions (v3.2.0.829.23, v3.8.0.1119.42, and v4.6.0.1211.28). The vulnerability arises from the presence of an unauthenticated EFI (Extensible Firmware Interface) shell embedded within the device's boot process. This EFI shell can be accessed without authentication, allowing an attacker to execute arbitrary code or escalate privileges during the system's boot sequence. Exploiting this vulnerability requires no user interaction or prior authentication, making it highly accessible to remote or local attackers with network or physical access to the device. The EFI shell operates at a very low level in the system, which means that successful exploitation can compromise the confidentiality, integrity, and availability of the RSU. Attackers could potentially install persistent malware, manipulate traffic data, disrupt traffic management operations, or use the compromised RSU as a foothold into broader transportation or critical infrastructure networks. The vulnerability is classified under CWE-1233, which relates to improper control of the boot process, highlighting the risk of unauthorized code execution during system initialization. The CVSS v3.1 base score is 9.8, reflecting the critical nature of this flaw with network attack vector, low attack complexity, no privileges or user interaction required, and full impact on confidentiality, integrity, and availability. No known exploits have been reported in the wild yet, and no official patches have been linked, indicating that affected organizations should prioritize mitigation and monitoring efforts immediately.

For European organizations, particularly those involved in intelligent transportation systems (ITS), smart city infrastructure, and critical road traffic management, this vulnerability poses a severe risk. Kapsch TrafficCom RSUs are widely deployed across Europe for traffic monitoring, tolling, and vehicle-to-infrastructure communication. Exploitation could lead to unauthorized manipulation of traffic data, causing traffic disruptions, safety hazards, or incorrect tolling charges. Moreover, compromised RSUs could serve as entry points for attackers to pivot into broader transportation networks or critical infrastructure systems, potentially affecting public safety and national security. The ability to execute code at boot level means attackers can maintain persistence and evade detection, complicating incident response. Given the criticality of road traffic systems in urban centers and cross-border transport corridors, the impact could extend beyond individual organizations to affect regional transportation stability and emergency response capabilities.

1. Immediate network segmentation: Isolate RSUs from general enterprise networks and restrict access to management interfaces to trusted personnel and systems only. 2. Physical security: Ensure RSUs are physically secured to prevent unauthorized local access that could facilitate exploitation. 3. Monitor for unusual boot activity: Implement logging and monitoring solutions that can detect unexpected reboots or EFI shell access attempts. 4. Firmware integrity verification: Employ cryptographic verification of firmware and boot components to detect unauthorized modifications. 5. Vendor engagement: Engage with Kapsch TrafficCom for official patches or firmware updates addressing this vulnerability and apply them promptly once available. 6. Incident response readiness: Prepare incident response plans specific to RSU compromise scenarios, including forensic analysis of boot-level tampering. 7. Restrict EFI shell access: Where possible, disable or password-protect EFI shell access in device configurations or via firmware updates. 8. Network traffic filtering: Use intrusion detection/prevention systems to identify and block anomalous traffic targeting RSUs. These measures go beyond generic advice by focusing on the unique operational context of RSUs and their boot-level vulnerability.