CVE-2025-61939 is a vulnerability classified under CWE-923, indicating improper restriction of communication channels to intended endpoints. The issue resides in an unused function within the Columbia Weather Systems MicroServer product that can initiate a reverse SSH connection to a domain registered by the vendor. This connection does not enforce mutual authentication, creating a trust boundary weakness. An attacker who has administrative access to the local web server and can manipulate DNS responses on the local network can redirect this SSH connection to an attacker-controlled server. This redirection enables the attacker to intercept or manipulate the SSH session, potentially leading to unauthorized data access, command execution, or further network compromise. The vulnerability is remotely exploitable within the local network without user interaction and does not require authentication for the SSH connection itself, although local admin privileges on the web server are necessary. The CVSS 4.0 score of 8.7 reflects the high impact on confidentiality, integrity, and availability due to the potential for high-value data exfiltration and control over the device. No patches or known exploits are currently available, highlighting the need for proactive mitigation. The vulnerability affects version 0 of the MicroServer product, which may indicate early or initial releases. Given the critical role of weather systems in infrastructure and safety, exploitation could have broader operational impacts.

For European organizations, this vulnerability poses significant risks, particularly for entities relying on Columbia Weather Systems MicroServer devices for weather data collection, monitoring, or control. Successful exploitation could lead to unauthorized access to sensitive environmental data, manipulation of weather monitoring outputs, or disruption of services dependent on accurate weather information. This could impact sectors such as energy, transportation, agriculture, and emergency services that rely on precise weather data. The ability to redirect SSH connections to attacker-controlled endpoints could facilitate lateral movement within networks, data exfiltration, or deployment of further malware. The requirement for local admin access and DNS manipulation limits the attack surface but does not eliminate risk, especially in environments with insufficient network segmentation or weak DNS security. The lack of mutual authentication in the SSH connection exacerbates the threat, increasing the likelihood of successful man-in-the-middle attacks. The absence of patches means organizations must rely on compensating controls to reduce exposure. Overall, the vulnerability could undermine operational integrity and data confidentiality in critical European infrastructure reliant on these systems.

1. Implement strict network segmentation to isolate MicroServer devices from general user networks and restrict administrative access to trusted personnel only. 2. Enforce DNS security measures such as DNSSEC to prevent DNS spoofing or manipulation attacks within the local network. 3. Monitor outbound SSH connections from MicroServer devices for unusual destinations or patterns indicative of redirection attempts. 4. Disable or remove unused functions or services in the MicroServer firmware where possible to reduce attack surface. 5. Employ strong access controls and audit logging on the web server hosting the MicroServer interface to detect and prevent unauthorized administrative actions. 6. Use network intrusion detection systems (NIDS) to identify anomalous traffic patterns consistent with exploitation attempts. 7. Engage with Columbia Weather Systems for firmware updates or patches and apply them promptly once available. 8. Conduct regular security assessments and penetration testing focusing on local network vulnerabilities and DNS integrity. 9. Educate network administrators about the risks of DNS manipulation and the importance of securing local network infrastructure. 10. Consider deploying endpoint detection and response (EDR) solutions on critical systems to detect suspicious SSH activity.