CVE-2025-25736 is a critical vulnerability identified in specific versions of the Kapsch TrafficCom RIS-9260 Roadside Unit (RSU) LEO firmware, namely versions 3.2.0.829.23, 3.8.0.1119.42, and 4.6.0.1211.28. The vulnerability arises from the presence of the Android Debug Bridge (ADB) tool pre-installed on the device at the path /mnt/c3platpersistent/opt/platform-tools/adb and, more importantly, enabled by default. ADB is a powerful debugging interface primarily used for Android device management and development, which, if exposed, can provide deep system access. In this case, the ADB service allows unauthenticated root shell access to the cellular modem component of the RSU via a default user account named 'kapsch'. This means that an attacker with network access to the RSU can connect to the device using ADB without needing any credentials or authentication, gaining full root privileges on the cellular modem subsystem. This level of access can allow attackers to manipulate device operations, intercept or alter communications, deploy persistent malware, or pivot to other network segments. The vulnerability is particularly severe because it does not require any authentication or user interaction, making exploitation straightforward if the device is reachable. The affected product, Kapsch TrafficCom RIS-9260 RSU, is a critical component in intelligent transportation systems (ITS), used for vehicle-to-infrastructure communication, traffic management, and safety applications. The lack of a CVSS score indicates that the vulnerability is newly published and has not yet been formally scored, but the technical details suggest a high severity. No known exploits are currently reported in the wild, but the risk remains significant due to the nature of the access granted. No patches or mitigation links are provided, indicating that affected organizations must take immediate compensating controls to reduce exposure.

For European organizations, especially those involved in transportation infrastructure, smart city deployments, or traffic management, this vulnerability poses a substantial risk. Exploitation could lead to unauthorized control over roadside units, potentially disrupting traffic signals, vehicle communication, or safety alerts. This could cause traffic congestion, accidents, or broader safety hazards. Additionally, attackers could leverage the RSU as a foothold to infiltrate wider critical infrastructure networks, compromising confidentiality and integrity of sensitive data. The root-level access to the cellular modem also raises concerns about interception or manipulation of cellular communications, which could impact operational continuity. Given the strategic importance of ITS in Europe for urban mobility and safety, the vulnerability could have cascading effects on public safety and critical infrastructure resilience. The absence of authentication and the default enabled state of ADB significantly increase the attack surface, especially if RSUs are accessible from less secure network segments or exposed to the internet. Organizations may also face regulatory and compliance risks if such vulnerabilities lead to service disruptions or data breaches.

Immediate mitigation should focus on network-level controls to isolate affected RSUs from untrusted networks, ensuring that only authorized management systems can access the devices. Network segmentation and firewall rules should block ADB ports and restrict access to the RSU's cellular modem interface. If possible, disable or uninstall the ADB service on the RSU; if direct device management interfaces allow this, it should be done promptly. Change or disable the default 'kapsch' user account to prevent unauthorized access. Monitor network traffic for unusual ADB connections or root shell activity. Since no patches are currently available, organizations should engage with Kapsch TrafficCom support to obtain firmware updates or official remediation guidance. Implement strict physical security controls to prevent local access to the RSU devices. Additionally, conduct thorough audits of RSU configurations and access logs to detect any signs of compromise. For long-term security, organizations should demand secure development practices from vendors, including disabling debug interfaces by default and enforcing strong authentication mechanisms.