CVE-2025-4905 is a medium-severity vulnerability affecting the iop-apl-uw basestation3 software versions 3.0.0 through 3.0.4. The vulnerability arises from insecure deserialization in the load_qc_pickl function located in the basestation3/QC.py file. Specifically, the vulnerability is triggered by manipulation of the qc_file argument, which is deserialized without sufficient validation or sanitization. This can allow an attacker with local access and low privileges to execute arbitrary code or manipulate the application state by crafting malicious serialized data. The vulnerability requires local access (AV:L) and low privileges (PR:L), but does not require user interaction (UI:N). The attack complexity is low (AC:L), and the impact on confidentiality, integrity, and availability is limited but present (VC:L, VI:L, VA:L). The vendor has marked the issue as closed; however, no patch or updated release has been published yet, leaving affected users exposed. Although no known exploits are currently reported in the wild, the public disclosure of the vulnerability increases the risk of exploitation attempts. The vulnerability does not require network access or authentication beyond local access, which limits its attack surface but still poses a risk in environments where local access can be obtained or where multiple users share the system. The deserialization flaw is a common vector for remote code execution or privilege escalation if combined with other vulnerabilities or misconfigurations, making timely mitigation important.

For European organizations using iop-apl-uw basestation3, this vulnerability could lead to unauthorized code execution or data manipulation if an attacker gains local access to the system. This could compromise the confidentiality and integrity of sensitive data processed by the basestation3 software. Although the vulnerability requires local access, in environments such as shared workstations, multi-user systems, or where attackers have physical or remote access through other means (e.g., compromised credentials or lateral movement), the risk is significant. The impact could include disruption of operations, data corruption, or further escalation of privileges leading to broader network compromise. Given the lack of an official patch, organizations face a window of exposure. In critical infrastructure or industrial control systems in Europe that rely on basestation3, this vulnerability could affect operational continuity and safety. The medium CVSS score reflects moderate risk but should not be underestimated in sensitive environments.

European organizations should implement the following specific mitigations: 1) Restrict local access to systems running basestation3 to trusted personnel only, enforcing strict access controls and monitoring. 2) Employ application whitelisting and runtime application self-protection (RASP) to detect and block unauthorized deserialization attempts. 3) Isolate basestation3 instances in segmented network zones to limit lateral movement if compromise occurs. 4) Monitor system logs and basestation3 application logs for unusual deserialization or file access patterns related to qc_file usage. 5) Until an official patch is released, consider disabling or restricting functionality that involves loading qc_file inputs if feasible. 6) Use host-based intrusion detection systems (HIDS) to detect anomalous behavior indicative of exploitation attempts. 7) Maintain up-to-date backups and incident response plans tailored to basestation3 environments. 8) Engage with the vendor or community to obtain updates or unofficial patches and apply them promptly once available.