CVE-2025-25737 identifies a security vulnerability in Kapsch TrafficCom RIS-9160 and RIS-9260 Roadside Units (RSUs), specifically in firmware versions 3.2.0.829.23, 3.8.0.1119.42, and 4.6.0.1211.28. The core issue is the absence of secure password requirements for BIOS Supervisor and User accounts, which allows attackers to conduct brute-force attacks to bypass BIOS authentication. This vulnerability falls under CWE-521, which relates to weak password requirements. The BIOS is a critical component that controls low-level hardware initialization and security; unauthorized access here can lead to full system compromise. The CVSS v3.1 base score is 6.8 (medium severity), with an attack vector of physical (AV:P), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and impacts on confidentiality, integrity, and availability (C:H/I:H/A:H). The physical attack vector indicates that attackers need physical or local access to the device to exploit the vulnerability, which limits remote exploitation but still presents a significant risk in scenarios where physical access is possible. No patches or firmware updates are currently linked, and no known exploits have been reported in the wild. The vulnerability could allow attackers to gain unauthorized BIOS-level access, potentially enabling firmware tampering, persistent malware installation, or disabling of security features, which could disrupt traffic management systems or compromise data integrity.

For European organizations, this vulnerability poses a significant risk to critical traffic infrastructure managed by Kapsch TrafficCom RSUs. Successful exploitation could lead to unauthorized control over roadside units, enabling attackers to manipulate traffic signals, disrupt traffic flow, or disable safety mechanisms. This could result in traffic congestion, increased accident risk, and broader public safety hazards. Confidentiality breaches could expose sensitive traffic data, while integrity and availability impacts could undermine trust in traffic management systems. Given the physical attack vector, the threat is more pronounced in locations where RSUs are accessible or insufficiently secured physically. Disruptions could have cascading effects on urban mobility, emergency response times, and smart city operations. The lack of secure BIOS passwords also increases the risk of persistent firmware-level attacks that are difficult to detect and remediate, potentially allowing long-term compromise of traffic infrastructure.

European organizations should immediately assess physical security controls around Kapsch RIS-9160 and RIS-9260 RSUs to prevent unauthorized physical access. Implement strict BIOS password policies enforcing complex, unique passwords for Supervisor and User accounts to mitigate brute-force attempts. Where possible, enable account lockout or delay mechanisms after multiple failed login attempts to hinder brute-force attacks. Monitor RSU devices for signs of tampering or unauthorized access. Coordinate with Kapsch TrafficCom for firmware updates or patches addressing this vulnerability and plan timely deployment once available. Consider network segmentation and limiting physical access to RSUs to trusted personnel only. Employ hardware security modules or tamper-evident seals to detect physical interference. Regularly audit BIOS configurations and maintain an inventory of devices and their firmware versions to prioritize remediation efforts. Additionally, integrate RSU security monitoring into broader traffic management cybersecurity frameworks to detect anomalous behavior early.