CVE-2025-25735
📋 TL;DR
This vulnerability allows attackers with software access on Kapsch TrafficCom RIS-9160 and RIS-9260 Roadside Units to modify SPI flash memory in real-time due to missing SPI Protected Range Registers. This affects organizations using these specific RSU versions for traffic management systems. Attackers could potentially alter device firmware or configuration without proper hardware protections.
💻 Affected Systems
- Kapsch TrafficCom RIS-9160 Roadside Unit
- Kapsch TrafficCom RIS-9260 Roadside Unit
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An attacker with software access could permanently modify device firmware, install persistent malware, disable safety features, or cause traffic system malfunctions leading to safety hazards.
Likely Case
Malicious insiders or compromised software could modify configuration settings, disable logging, or install backdoors for future access.
If Mitigated
With proper access controls and monitoring, impact is limited to authorized users making unauthorized modifications, which could still cause service disruption.
🎯 Exploit Status
Requires software execution on the device. No public exploit code available. Attackers need to understand SPI flash architecture and have software access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check with Kapsch for updated firmware versions
Vendor Advisory: https://www.kapsch.net/en
Restart Required: Yes
Instructions:
1. Contact Kapsch TrafficCom support for patched firmware versions. 2. Backup current configuration. 3. Apply firmware update following vendor procedures. 4. Verify SPI PRR protections are enabled. 5. Test functionality before production deployment.
🔧 Temporary Workarounds
Restrict software access
allLimit software installation and execution privileges on RSU devices to authorized personnel only.
Network segmentation
allIsolate RSU devices on separate network segments with strict access controls.
🧯 If You Can't Patch
- Implement strict access controls to prevent unauthorized software installation on RSU devices
- Deploy network monitoring and anomaly detection for RSU communications and configuration changes
🔍 How to Verify
Check if Vulnerable:
Check device firmware version via vendor management interface or console. If version matches affected list, device is vulnerable.Check Version:
Use vendor-specific CLI or management interface commands (consult Kapsch documentation)Verify Fix Applied:
After patching, verify firmware version is updated and test SPI flash write protections through vendor diagnostic tools.📡 Detection & Monitoring
Log Indicators:
- Unexpected firmware or configuration changes
- Unauthorized access attempts to device management interfaces
- SPI flash write operations outside normal maintenance windows
Network Indicators:
- Unusual traffic patterns to/from RSU devices
- Unexpected firmware update attempts
- Configuration changes outside maintenance schedules
SIEM Query:
Example: (device_type:RSU AND (event_type:firmware_change OR event_type:config_change) AND NOT user:authorized_maintenance)🔗 References
- https://cwe.mitre.org/data/definitions/1233.html
- https://phrack.org/issues/72/16_md
- https://www.kapsch.net/_Resources/Persistent/3d251a8445e0bf50093903ad70b3dbed34dec7e7/KTC-CVS_RIS-9260_DataSheet.pdf
- https://www.kapsch.net/_Resources/Persistent/55fb8d0fb279262809eac88d457894db1b3efcd5/Kapsch_RIS-9160_Datasheet_EN.pdf
- https://www.kapsch.net/en
- https://www.kapsch.net/en/press/releases/ktc-20200813-pr-en
