CVE-2025-25736 is a critical vulnerability affecting specific versions of the Kapsch TrafficCom RIS-9260 RSU LEO devices, namely versions 3.2.0.829.23, 3.8.0.1119.42, and 4.6.0.1211.28. These devices have the Android Debug Bridge (ADB) pre-installed and enabled by default at the path /mnt/c3platpersistent/opt/platform-tools/adb. The vulnerability allows unauthenticated attackers to gain root shell access to the cellular modem by connecting via the default 'kapsch' user account. This means that an attacker with network access to the device can execute arbitrary commands with root privileges without needing any authentication or user interaction. The vulnerability is classified under CWE-306 (Missing Authentication for Critical Function) and has a CVSS v3.1 base score of 9.8, indicating a critical severity level. The attack vector is network-based (AV:N), requires no privileges (PR:N), no user interaction (UI:N), and impacts confidentiality, integrity, and availability to a high degree (C:H/I:H/A:H). The scope is unchanged (S:U), meaning the vulnerability affects the vulnerable component itself. The lack of authentication on a critical debugging interface like ADB on a cellular modem embedded in traffic infrastructure devices exposes them to full compromise, potentially allowing attackers to manipulate traffic data, disrupt communications, or use the device as a pivot point for further network attacks. No patches or mitigations are currently linked, and no known exploits in the wild have been reported as of the publication date.

For European organizations, especially those involved in traffic management, transportation infrastructure, and smart city deployments, this vulnerability poses a significant risk. Kapsch TrafficCom is a major provider of intelligent transportation systems in Europe, and their RIS-9260 RSU LEO devices are likely deployed in critical road infrastructure for vehicle-to-infrastructure communication. Exploitation could lead to unauthorized control over traffic signals, disruption of traffic flow, or manipulation of data used for traffic monitoring and enforcement. This could result in safety hazards, traffic congestion, and loss of public trust. Additionally, attackers gaining root access to the cellular modem could intercept or manipulate cellular communications, potentially affecting connected services relying on these devices. The high severity and ease of exploitation (no authentication or user interaction required) increase the likelihood of targeted attacks or opportunistic exploitation. The impact extends beyond operational disruption to potential breaches of privacy and data integrity in connected transportation systems.

Immediate mitigation steps include isolating the affected devices from untrusted networks to limit exposure to potential attackers. Network segmentation should be enforced to ensure that only authorized management systems can access the RSU devices. Since no official patches are currently available, organizations should contact Kapsch TrafficCom for guidance and monitor for firmware updates addressing this vulnerability. Disabling or restricting access to the ADB interface on the devices, if possible, is critical; this may require manual configuration or firmware modification. Implementing strict access controls and monitoring network traffic for unusual activity targeting the ADB port or the default 'kapsch' user can help detect exploitation attempts. Additionally, organizations should review and change any default credentials and ensure that device management interfaces are not exposed to the public internet. Incorporating intrusion detection systems (IDS) tailored to detect ADB-related traffic anomalies can provide early warning. Finally, organizations should prepare incident response plans specific to this vulnerability to quickly respond to any detected exploitation.