CVE-2025-66620

8.0 HIGH

Authentication Bypass

📋 TL;DR

An unused webshell in MicroServer allows unlimited login attempts with sudo rights on certain files and directories. Attackers with admin access can gain limited shell access, enabling persistence through reverse shells and data modification/removal. This affects MicroServer deployments with the vulnerable component present.

💻 Affected Systems

Products:

• MicroServer

Versions: Specific versions not specified in provided references

Operating Systems: Unknown - likely Linux-based given sudo reference

Default Config Vulnerable: ⚠️ Yes

Notes: Requires admin access to MicroServer; the webshell appears to be present by default but unused.

📦 What is this software?

Weather Microserver Firmware by Columbiaweather

View all CVEs affecting Weather Microserver Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise through privilege escalation, persistent backdoor installation, data destruction, and lateral movement to other systems.

🟠

Likely Case

Unauthorized shell access leading to data theft, configuration changes, and installation of additional malware for persistence.

🟢

If Mitigated

Limited impact if proper network segmentation, least privilege, and monitoring are in place, though risk remains elevated.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires admin credentials but is straightforward once access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not specified

Vendor Advisory: https://www.cisa.gov/news-events/ics-advisories/icsa-26-006-01

Restart Required: No

Instructions:

1. Review CISA advisory ICSA-26-006-01. 2. Contact MicroServer vendor for specific patch information. 3. Apply vendor-recommended updates when available.

🔧 Temporary Workarounds

Remove unused webshell

linux

Locate and delete the unused webshell file to eliminate the vulnerability vector.

Copy

find / -name "*webshell*" -type f 2>/dev/null
# Review and remove identified files carefully

Implement login attempt limits

all

Configure authentication systems to limit failed login attempts and implement account lockouts.

🧯 If You Can't Patch

• Implement strict network segmentation to isolate MicroServer from critical systems
• Enforce multi-factor authentication and strong credential policies for admin accounts

🔍 How to Verify

Check if Vulnerable:

Copy

Check for presence of webshell files and review authentication logs for unlimited login attempts.

Check Version:

Copy

Contact vendor for version-specific vulnerability information

Verify Fix Applied:

Copy

Verify webshell files are removed and authentication controls are properly limiting login attempts.

📡 Detection & Monitoring

Log Indicators:

• Multiple failed login attempts from same source
• Unusual file modification patterns in sudo-accessible directories
• Webshell file access logs

Network Indicators:

• Unexpected outbound connections (reverse shells)
• Unusual authentication traffic patterns

SIEM Query:

Copy

source="microserver" AND (event_type="authentication_failure" count>10) OR (file_path="*webshell*" AND operation="access")

📊 Metadata

CVE ID: CVE-2025-66620

CVSS v3 Score: 8.0 (HIGH)

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-553

EPSS Score: 0.08% exploit probability (24.2th percentile)

Published: January 7, 2026

Last Updated: January 22, 2026

🔗 References

• https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-006-01.json Third Party Advisory
• https://www.cisa.gov/news-events/ics-advisories/icsa-26-006-01 Third Party Advisory,US Government Resource

📤 Share & Export

Twitter LinkedIn Reddit Copy Link

📄 Export Markdown 📋 Export JSON