CVE-2025-62193
📋 TL;DR
This vulnerability allows remote, unauthenticated attackers to execute arbitrary operating system commands on NOAA PMEL Live Access Server (LAS) installations by sending specially crafted requests containing PyFerret expressions. Attackers can leverage the SPAWN command to achieve remote code execution. All LAS systems running vulnerable versions are affected.
💻 Affected Systems
- NOAA PMEL Live Access Server (LAS)
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to install malware, exfiltrate sensitive data, pivot to other systems, or deploy ransomware.
Likely Case
Attackers gain shell access to the server, potentially stealing data, modifying configurations, or using the system as a foothold for further attacks.
If Mitigated
With proper network segmentation and access controls, impact could be limited to the LAS application server only.
🎯 Exploit Status
The vulnerability leverages PyFerret's SPAWN command, which is well-documented functionality. Attackers need to craft requests with malicious expressions.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version with commit de5f9237bfd4ac5085bcc49a6e30bbc9507ddb29 or later
Vendor Advisory: https://github.com/NOAA-PMEL/LAS/commit/de5f9237bfd4ac5085bcc49a6e30bbc9507ddb29
Restart Required: Yes
Instructions:
1. Pull the latest LAS code from the NOAA-PMEL/LAS repository. 2. Apply the fix from commit de5f9237bfd4ac5085bcc49a6e30bbc9507ddb29. 3. Rebuild and redeploy the LAS application. 4. Restart the LAS service.
🔧 Temporary Workarounds
Network Access Restriction
linuxRestrict network access to LAS servers to only trusted IP addresses
iptables -A INPUT -p tcp --dport [LAS_PORT] -s [TRUSTED_IP] -j ACCEPT
iptables -A INPUT -p tcp --dport [LAS_PORT] -j DROP
Web Application Firewall
allDeploy a WAF to block requests containing PyFerret SPAWN commands
🧯 If You Can't Patch
- Take the LAS server offline immediately
- Implement strict network segmentation and isolate the LAS server from other systems
🔍 How to Verify
Check if Vulnerable:
Check if your LAS version includes the vulnerable RequestInputFilter.java file before the 2025-09-24 fixCheck Version:
Check LAS build date or git commit hash in the application deploymentVerify Fix Applied:
Verify that the RequestInputFilter.java file contains the security fixes from commit de5f9237bfd4ac5085bcc49a6e30bbc9507ddb29📡 Detection & Monitoring
Log Indicators:
- Unusual PyFerret expressions in request logs
- SPAWN commands in URL parameters or POST data
- Unexpected system command execution
Network Indicators:
- Requests containing PyFerret SPAWN commands
- Unusual outbound connections from LAS server
SIEM Query:
source="las_logs" AND ("SPAWN" OR "PyFerret" OR "os.execute")🔗 References
- https://github.com/NOAA-PMEL/LAS/blob/main/README.md
- https://github.com/NOAA-PMEL/LAS/commit/de5f9237bfd4ac5085bcc49a6e30bbc9507ddb29
- https://github.com/NOAA-PMEL/LAS/commit/e69afb1898ae7e69f3e047513fc1e5570373912b
- https://github.com/NOAA-PMEL/LAS/compare/b4b7306..de5f923
- https://github.com/NOAA-PMEL/LAS/tree/main
- https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-26-015-01.json
- https://www.cve.org/CVERecord?id=CVE-2025-62193
