CVE-2025-25737 is a critical vulnerability affecting Kapsch TrafficCom RIS-9160 and RIS-9260 Roadside Units (RSUs) across multiple firmware versions (v3.2.0.829.23, v3.8.0.1119.42, and v4.6.0.1211.28). These RSUs are integral components of intelligent transportation systems, facilitating communication between vehicles and traffic infrastructure. The vulnerability arises from the lack of secure password requirements for the BIOS Supervisor and User accounts on these devices. Specifically, weak or default BIOS passwords allow attackers to perform brute-force attacks to bypass authentication entirely. This bypass grants unauthorized access at a low level, potentially enabling attackers to alter firmware settings, disable security controls, or install persistent malware. The CVSS v3.1 base score of 9.8 underscores the criticality, reflecting that the vulnerability is remotely exploitable over the network without any privileges or user interaction, and can lead to complete compromise of confidentiality, integrity, and availability of the affected RSUs. Given the role of these RSUs in traffic management and safety, exploitation could disrupt traffic flow, cause denial of service, or facilitate further attacks on connected infrastructure. No known exploits are currently reported in the wild, but the ease of exploitation and critical impact make this a high-priority issue for remediation.

For European organizations, particularly those involved in transportation infrastructure and smart city initiatives, this vulnerability poses a significant risk. RSUs are widely deployed across European road networks to support traffic monitoring, toll collection, and vehicle-to-infrastructure communication. Exploitation could lead to unauthorized control over these devices, resulting in traffic disruptions, safety hazards, and potential cascading failures in connected systems. Confidentiality breaches could expose sensitive traffic data, while integrity compromises might allow attackers to manipulate traffic signals or sensor data, causing accidents or congestion. Availability impacts could result in denial of service of critical roadside communication, undermining emergency response and traffic management. The critical severity and remote exploitability without authentication mean that attackers, including cybercriminals or state-sponsored actors, could target European transport networks to cause widespread disruption or gather intelligence. This threat is particularly concerning given Europe's emphasis on connected and automated vehicle technologies, where RSUs play a pivotal role.

Mitigation should focus on immediate and long-term measures. First, organizations must verify and enforce strong BIOS password policies on all affected RSUs, ensuring complex, unique passwords that resist brute-force attempts. If possible, update device firmware to versions that address this vulnerability once patches become available from Kapsch TrafficCom. In the interim, network segmentation should be employed to isolate RSUs from broader enterprise and public networks, limiting exposure to potential attackers. Implement strict access controls and monitoring on management interfaces to detect and respond to unauthorized login attempts. Employ intrusion detection systems tailored to identify brute-force patterns targeting BIOS authentication. Additionally, organizations should conduct regular security audits of RSU configurations and consider deploying hardware-based security modules to protect BIOS settings. Collaboration with Kapsch TrafficCom for timely vulnerability disclosures and patch management is essential. Finally, contingency plans should be developed to maintain traffic management operations in case of RSU compromise or failure.