CVE-2025-25737 identifies a security vulnerability in Kapsch TrafficCom RIS-9160 and RIS-9260 Roadside Units (RSUs), specifically in firmware versions 3.2.0.829.23, 3.8.0.1119.42, and 4.6.0.1211.28. These RSUs are critical components in intelligent transportation systems, used for vehicle-to-infrastructure communication to manage traffic flow and enforce road safety. The vulnerability arises from the lack of secure password policies for BIOS Supervisor and User accounts on these devices. Without enforced complexity or lockout mechanisms, attackers can perform brute force attacks against these BIOS-level accounts to bypass authentication. Successfully exploiting this flaw would allow an attacker to gain unauthorized low-level access to the RSU hardware, potentially enabling them to alter firmware settings, disable security controls, or install persistent malicious code. This could compromise the integrity and availability of the traffic management infrastructure. Notably, no CVSS score has been assigned yet, and there are no known exploits in the wild at this time. However, the absence of secure password requirements at the BIOS level represents a significant security weakness, as BIOS access typically precedes operating system controls, making this a critical attack vector if exploited.

For European organizations, particularly those involved in transportation infrastructure and smart city initiatives, this vulnerability poses a substantial risk. RSUs are integral to traffic monitoring, congestion management, and enforcement of traffic regulations. An attacker gaining BIOS-level access could disrupt traffic flow by manipulating RSU operations, potentially causing traffic jams, accidents, or enabling fraudulent behavior such as evading tolls or traffic fines. Moreover, compromised RSUs could serve as footholds for lateral movement into broader transportation networks or critical infrastructure systems, amplifying the impact. The confidentiality of data transmitted by RSUs, such as vehicle identification and traffic patterns, could also be at risk. Given the strategic importance of transportation infrastructure in Europe, exploitation could have cascading effects on public safety and economic activities.

To mitigate this vulnerability, European organizations should immediately assess their deployment of Kapsch RIS-9160 and RIS-9260 RSUs to identify affected firmware versions. Since no patches are currently listed, organizations should engage with Kapsch TrafficCom for firmware updates or security advisories addressing BIOS password policies. In the interim, physical security controls must be strengthened to prevent unauthorized physical access to RSUs, as BIOS brute forcing requires direct device access. Network segmentation should be enforced to isolate RSUs from broader enterprise networks, limiting attacker movement if a device is compromised. Implement monitoring for unusual device behavior or repeated authentication failures at the BIOS level, if supported. Additionally, organizations should consider deploying hardware-based security modules or BIOS-level password management tools that enforce complexity and lockout policies. Finally, incorporate this vulnerability into risk assessments and incident response plans to prepare for potential exploitation scenarios.