CVE-2025-25733 — LOW (3.5) — White Hats Nepal

Vulnerability Description

Incorrect access control in the SPI Flash Chip of Kapsch TrafficCom RIS-9160 & RIS-9260 Roadside Units (RSUs) v3.2.0.829.23, v3.8.0.1119.42, and v4.6.0.1211.28 allows physically proximate attackers to arbitrarily modify SPI flash regions, leading to a degradation of the security posture of the device.

CVSS Score

3.5

LOW

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Attack Vector

PHYSICAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Kapsch	Ris-9160 Firmware	3.2.0.829.23
Kapsch	Ris-9160	-
Kapsch	Ris-9260 Firmware	3.2.0.829.23
Kapsch	Ris-9260	-

Related Weaknesses (CWE)

CWE-1233

References

https://cwe.mitre.org/data/definitions/1233.htmlTechnical Description
https://phrack.org/issues/72/16_mdExploitThird Party Advisory
https://www.kapsch.net/_Resources/Persistent/3d251a8445e0bf50093903ad70b3dbed34dBroken Link
https://www.kapsch.net/_Resources/Persistent/55fb8d0fb279262809eac88d457894db1b3Product
https://www.kapsch.net/enProduct
https://www.kapsch.net/en/press/releases/ktc-20200813-pr-enProduct

FAQ

What is CVE-2025-25733?

CVE-2025-25733 is a vulnerability with a CVSS score of 3.5 (LOW). Incorrect access control in the SPI Flash Chip of Kapsch TrafficCom RIS-9160 & RIS-9260 Roadside Units (RSUs) v3.2.0.829.23, v3.8.0.1119.42, and v4.6.0.1211.28 allows physically proximate attackers to...

How severe is CVE-2025-25733?

CVE-2025-25733 has been rated LOW with a CVSS base score of 3.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2025-25733?

Check the references section above for vendor advisories and patch information. Affected products include: Kapsch Ris-9160 Firmware, Kapsch Ris-9160, Kapsch Ris-9260 Firmware, Kapsch Ris-9260.