CVE-2025-25734
📋 TL;DR
Kapsch TrafficCom RIS-9160 and RIS-9260 Roadside Units contain an unauthenticated EFI shell accessible during boot, allowing attackers to execute arbitrary code or escalate privileges. This affects RSUs running vulnerable firmware versions, potentially compromising traffic management systems.
💻 Affected Systems
- Kapsch TrafficCom RIS-9160 Roadside Unit
- Kapsch TrafficCom RIS-9260 Roadside Unit
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to install persistent malware, disrupt traffic management systems, or use RSUs as footholds into connected infrastructure networks.
Likely Case
Local attackers gaining administrative access to modify system configurations, install unauthorized software, or disrupt RSU operations.
If Mitigated
Limited impact if physical access controls prevent unauthorized personnel from accessing devices during boot process.
🎯 Exploit Status
Exploitation requires access during the boot process, which may involve physical access or network access if boot services are exposed. No authentication is required once EFI shell is accessible.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check with Kapsch for patched firmware versions
Vendor Advisory: https://www.kapsch.net/en
Restart Required: Yes
Instructions:
1. Contact Kapsch TrafficCom for patched firmware versions. 2. Backup current configuration. 3. Apply firmware update following vendor instructions. 4. Verify EFI shell is no longer accessible without authentication.
🔧 Temporary Workarounds
Physical Access Controls
allRestrict physical access to RSU devices to prevent unauthorized personnel from accessing boot process.
Secure Boot Configuration
allConfigure secure boot options if available in firmware to restrict EFI shell access.
🧯 If You Can't Patch
- Implement strict physical security controls around RSU installations
- Monitor for unauthorized system restarts or boot process access attempts
🔍 How to Verify
Check if Vulnerable:
Attempt to access EFI shell during system boot by pressing appropriate key combination (typically ESC, F2, or DEL) during POST. If shell appears without authentication prompt, system is vulnerable.Check Version:
Check firmware version through device web interface or console: Typically available in System > About or Status pages.Verify Fix Applied:
After patching, attempt to access EFI shell during boot. System should require authentication or prevent access entirely.📡 Detection & Monitoring
Log Indicators:
- Unexpected system reboots
- Boot process interruptions
- EFI shell access logs if available
Network Indicators:
- Unusual network traffic during boot process
- Unexpected PXE or network boot attempts
SIEM Query:
Search for system reboot events outside maintenance windows combined with physical access logs to RSU locations.🔗 References
- https://cwe.mitre.org/data/definitions/1233.html
- https://phrack.org/issues/72/16_md
- https://www.kapsch.net/_Resources/Persistent/3d251a8445e0bf50093903ad70b3dbed34dec7e7/KTC-CVS_RIS-9260_DataSheet.pdf
- https://www.kapsch.net/_Resources/Persistent/55fb8d0fb279262809eac88d457894db1b3efcd5/Kapsch_RIS-9160_Datasheet_EN.pdf
- https://www.kapsch.net/en
- https://www.kapsch.net/en/press/releases/ktc-20200813-pr-en
