CVE-2025-25736 is a vulnerability identified in Kapsch TrafficCom RIS-9260 RSU LEO devices running firmware versions v3.2.0.829.23, v3.8.0.1119.42, and v4.6.0.1211.28. These devices have the Android Debug Bridge (ADB) tool pre-installed at the path /mnt/c3platpersistent/opt/platform-tools/adb and, critically, ADB is enabled by default. This configuration flaw allows unauthenticated attackers to connect to the cellular modem component of the device and obtain a root shell using the default 'kapsch' user account. The vulnerability is classified under CWE-306 (Missing Authentication for Critical Function) and has a CVSS v3.1 base score of 6.8, indicating medium severity. The attack vector is physical or network access to the cellular modem interface (AV:P - adjacent network), with low attack complexity (AC:L), no privileges required (PR:N), and no user interaction (UI:N). Successful exploitation compromises confidentiality, integrity, and availability of the device, potentially allowing attackers to manipulate traffic management functions or disrupt services. No patches or known exploits are currently documented, but the presence of an enabled root shell without authentication presents a significant security risk. The vulnerability affects critical infrastructure components used in intelligent transport systems, which are integral to traffic flow and safety monitoring.

For European organizations, especially those involved in traffic management, public transportation, and smart city infrastructure, this vulnerability poses a substantial risk. Exploitation could lead to unauthorized control over roadside units (RSUs), enabling attackers to manipulate traffic signals, disrupt communication between vehicles and infrastructure, or cause denial of service conditions. This could result in traffic congestion, increased accident risk, and compromised public safety. Additionally, attackers could exfiltrate sensitive operational data or inject malicious commands, undermining system integrity. Given the reliance on Kapsch TrafficCom solutions across Europe for intelligent transport systems, the impact could be widespread, affecting urban centers and critical transport corridors. The vulnerability also raises concerns about national security and emergency response capabilities if exploited during critical events.

Organizations should immediately audit their Kapsch RIS-9260 RSU LEO deployments to verify if affected firmware versions are in use. Specific mitigation steps include: 1) Disabling ADB on all affected devices to remove the unauthenticated root shell access. 2) Changing or disabling the default 'kapsch' user credentials to prevent unauthorized access. 3) Restricting network access to the cellular modem interface by implementing strict firewall rules and network segmentation, limiting exposure to trusted management networks only. 4) Monitoring device logs and network traffic for unusual ADB connections or root shell activity. 5) Engaging with Kapsch TrafficCom for official patches or firmware updates addressing this vulnerability and applying them promptly once available. 6) Incorporating this vulnerability into incident response and risk management plans, ensuring rapid containment if exploitation is detected. 7) Conducting regular security assessments and penetration testing focused on RSU devices to identify similar misconfigurations.