CVE-2025-64305 is a vulnerability classified under CWE-313 (Cleartext Storage in a File or on Disk) affecting the Columbia Weather Systems MicroServer product. The issue arises because the MicroServer copies parts of its system firmware, which contain sensitive user and vendor secrets, onto an external SD card in an unencrypted form during the device's boot process. This unprotected storage of secrets on removable media exposes critical information that can be accessed by an attacker with physical or network access to the device or its storage. The exposed secrets can be leveraged to modify the vendor firmware, potentially allowing an attacker to implant malicious code or backdoors. Additionally, the attacker can gain administrative access to the MicroServer’s web portal, which controls device configuration and operation. The CVSS 4.0 score of 7.1 reflects a high severity due to the vulnerability's ability to compromise confidentiality and integrity without requiring authentication or user interaction. The attack vector is adjacent network (AV:A), meaning the attacker must have access to the same network segment or physical access to the device. The vulnerability does not impact availability directly but poses a significant risk to device integrity and confidentiality. No patches or vendor fixes are currently available, and no exploits have been reported in the wild. The vulnerability is particularly concerning for environments where MicroServer devices are used for weather data collection, industrial control, or environmental monitoring, as compromise could lead to falsified data or loss of control over critical infrastructure.

For European organizations, this vulnerability can lead to unauthorized access to critical weather monitoring systems, potentially disrupting data integrity and operational reliability. Compromised firmware could allow attackers to manipulate sensor data or device behavior, impacting decision-making in sectors such as agriculture, energy, transportation, and emergency services. The exposure of vendor secrets also risks supply chain security and could facilitate further attacks on related infrastructure. Given the reliance on accurate environmental data for regulatory compliance and safety, exploitation could have cascading effects on public safety and economic activities. The lack of encryption on removable media increases the risk of insider threats or physical tampering, especially in facilities with less stringent physical security. The vulnerability’s ease of exploitation without authentication raises the threat level for organizations with exposed or poorly segmented networks. Overall, the impact includes loss of confidentiality, integrity, and potential operational disruption, which are critical for European entities managing environmental and industrial systems.

European organizations should immediately implement strict physical security controls to prevent unauthorized access to MicroServer devices and their SD cards. Network segmentation should be enforced to limit access to the MicroServer’s network segment, reducing the risk of remote exploitation. Continuous monitoring and logging of device access and SD card usage can help detect suspicious activities early. Organizations should disable or restrict external SD card usage if possible or replace devices with more secure alternatives. Until a vendor patch is available, consider deploying compensating controls such as encrypted tunnels for web portal access and multi-factor authentication to reduce the risk of unauthorized administrative access. Engage with Columbia Weather Systems to demand firmware updates that encrypt sensitive data on external storage and implement firmware integrity verification mechanisms. Regular security audits and penetration testing focusing on physical and network access to these devices will also help identify and mitigate risks. Finally, maintain an incident response plan tailored to potential firmware compromise scenarios.