CVE-2025-25736 – This vulnerability allows unauthenticated attac... (How to Fix)

Q: What is the severity of CVE-2025-25736?

CVE-2025-25736 has a CVSS score of 6.8 (MEDIUM). This vulnerability allows unauthenticated attackers to gain root shell access to Kapsch TrafficCom RIS-9260 RSU devices via Android Debug Bridge (ADB) enabled by default. Affected systems include RIS-9260 RSU LEO versions v3.2.0.829.23, v3.8.0.1119.42, and v4.6.0.1211.28 with default configurations.

📋 TL;DR

This vulnerability allows unauthenticated attackers to gain root shell access to Kapsch TrafficCom RIS-9260 RSU devices via Android Debug Bridge (ADB) enabled by default. Affected systems include RIS-9260 RSU LEO versions v3.2.0.829.23, v3.8.0.1119.42, and v4.6.0.1211.28 with default configurations.

💻 Affected Systems

Products:

Kapsch TrafficCom RIS-9260 RSU LEO

Versions: v3.2.0.829.23, v3.8.0.1119.42, v4.6.0.1211.28

Operating Systems: Android-based embedded system

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in default configuration with ADB enabled and accessible via 'kapsch' user credentials.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise allowing attackers to modify traffic control systems, disrupt operations, or use devices as footholds into connected networks.

🟠

Likely Case

Unauthorized access to device configuration, potential data exfiltration, and disruption of roadside unit functionality.

🟢

If Mitigated

Limited impact if ADB access is properly restricted and devices are isolated from untrusted networks.

🌐 Internet-Facing: HIGH - Devices often deployed in public infrastructure with network connectivity, making them accessible to attackers.

🏢 Internal Only: MEDIUM - Even internally, unauthorized root access poses significant risk to device integrity and network security.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires network access to ADB port and knowledge of default credentials. No authentication bypass needed beyond default configuration.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check with vendor for patched versions

Vendor Advisory: https://www.kapsch.net/en

Restart Required: No

Instructions:

1. Contact Kapsch TrafficCom for security updates. 2. Apply vendor-provided patches. 3. Verify ADB is disabled or properly secured.

🔧 Temporary Workarounds

Disable ADB Service

all

Disable Android Debug Bridge service to prevent unauthorized access

adb shell pm disable com.android.shell
adb shell setprop persist.service.adb.enable 0

Change Default Credentials

all

Change default 'kapsch' user password to strong, unique credentials

adb shell passwd kapsch

🧯 If You Can't Patch

Network segmentation: Isolate RIS-9260 devices from untrusted networks using firewalls
Access control: Restrict network access to ADB port (default 5555) to authorized management systems only

🔍 How to Verify

Check if Vulnerable:

Check if ADB service is running and accessible: 'adb connect <device_ip>:5555' followed by 'adb shell' with 'kapsch' user

Check Version:

Check device firmware version via web interface or console: 'cat /etc/version' or similar

Verify Fix Applied:

Attempt ADB connection after remediation: 'adb connect <device_ip>:5555' should fail or require proper authentication

📡 Detection & Monitoring

Log Indicators:

Failed authentication attempts to ADB service
Successful ADB connections from unauthorized sources
Root shell access via ADB

Network Indicators:

Unexpected connections to port 5555 (ADB)
ADB protocol traffic from non-management systems

SIEM Query:

source_port:5555 OR destination_port:5555 AND (protocol:adb OR service:android_debug)

📊 Metadata

CVE ID: CVE-2025-25736

CVSS v3 Score: 6.8 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-306

EPSS Score: 0.04% exploit probability (12.9th percentile)

Published: August 26, 2025

Last Updated: October 22, 2025

🔗 References

https://cwe.mitre.org/data/definitions/306.html Technical Description
https://phrack.org/issues/72/16_md Exploit,Third Party Advisory
https://www.kapsch.net/_Resources/Persistent/3d251a8445e0bf50093903ad70b3dbed34dec7e7/KTC-CVS_RIS-9260_DataSheet.pdf Broken Link
https://www.kapsch.net/en Product
https://www.kapsch.net/en/press/releases/ktc-20200813-pr-en Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-25736, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Ris 9160 Firmware by Kapsch

Ris 9160 Firmware by Kapsch

Ris 9160 Firmware by Kapsch

Ris 9260 Firmware by Kapsch

Ris 9260 Firmware by Kapsch

Ris 9260 Firmware by Kapsch

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable ADB Service

Change Default Credentials

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities