CVE-2025-25735 identifies a security weakness in Kapsch TrafficCom RIS-9160 and RIS-9260 Roadside Units (RSUs), specifically in firmware versions 3.2.0.829.23, 3.8.0.1119.42, and 4.6.0.1211.28. The root cause is the lack of SPI Protected Range Registers (PRRs), a hardware security feature designed to prevent unauthorized modifications to SPI flash memory. SPI flash typically stores firmware and critical configuration data; without PRRs, software running on the device can alter this memory in real-time. This means an attacker who has gained software-level access—either through local access or potentially via other vulnerabilities—can tamper with the device’s firmware or configuration, undermining its integrity. The vulnerability does not directly expose confidential data nor does it cause denial of service, but it allows persistent unauthorized changes that could facilitate further attacks or disrupt traffic management functions. The CVSS vector indicates the attack requires physical or local access (AV:P), has low attack complexity (AC:L), requires no privileges (PR:N), and no user interaction (UI:N). The scope remains unchanged (S:U), with no confidentiality impact (C:N), but high integrity impact (I:H), and no availability impact (A:N). No patches or exploit code are currently available, and no known exploitation in the wild has been reported. The vulnerability is tracked under CWE-1233, which relates to insufficient hardware protection mechanisms. Given the critical role of RSUs in intelligent transportation systems, this vulnerability could be leveraged to manipulate traffic signals or data, potentially causing safety risks or operational disruptions.

For European organizations, the impact of CVE-2025-25735 is primarily on the integrity of roadside traffic infrastructure. RSUs are integral to traffic management, vehicle communication, and safety systems. Unauthorized modification of firmware or configuration could lead to incorrect traffic signal timings, false traffic data reporting, or compromised vehicle-to-infrastructure communication. This could degrade traffic flow efficiency, increase accident risks, or enable further cyberattacks on connected transportation networks. While confidentiality and availability are not directly affected, the integrity compromise could have cascading effects on public safety and trust in smart city infrastructure. Organizations responsible for traffic management, public transportation authorities, and critical infrastructure operators in Europe must consider this risk seriously. The medium CVSS score reflects the moderate likelihood and impact, but the strategic importance of these systems elevates the operational risk. The lack of known exploits provides a window for proactive mitigation before attackers potentially develop exploitation techniques.

Since no patches are currently available, European organizations should implement layered mitigation strategies. First, restrict physical and local access to RSUs by enforcing strict access controls and monitoring. Deploy network segmentation to isolate RSUs from broader enterprise or public networks, reducing the risk of remote compromise. Implement continuous integrity monitoring of RSU firmware and configuration to detect unauthorized changes promptly. Use hardware security modules or trusted platform modules (TPMs) where possible to enhance device security. Engage with Kapsch TrafficCom for firmware updates or security advisories and plan for timely patch deployment once available. Conduct regular security audits and penetration tests focusing on RSU environments. Additionally, consider deploying anomaly detection systems on traffic management networks to identify unusual behavior indicative of firmware tampering. Finally, maintain incident response readiness specific to transportation infrastructure threats.