CVE-2025-25732

Incorrect access control in the EEPROM component of Kapsch TrafficCom RIS-9160 & RIS-9260 Roadside Units (RSUs) v3.2.0.829.23, v3.8.0.1119.42, and v4.6.0.1211.28 allows attackers to replace password hashes stored in the EEPROM with hashes of their own, leading to the escalation of privileges to root.

CVSS v3 6.8 MEDIUM

6.8^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 0.9 / Impact : 5.9

Attack Vector PHYSICAL

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://cwe.mitre.org/data/definitions/922.html	Technical Description
https://phrack.org/issues/72/16_md	Exploit Third Party Advisory
https://www.kapsch.net/_Resources/Persistent/3d251a8445e0bf50093903ad70b3dbed34dec7e7/KTC-CVS_RIS-9260_DataSheet.pdf	Broken Link
https://www.kapsch.net/_Resources/Persistent/55fb8d0fb279262809eac88d457894db1b3efcd5/Kapsch_RIS-9160_Datasheet_EN.pdf	Product
https://www.kapsch.net/en	Product
https://www.kapsch.net/en/press/releases/ktc-20200813-pr-en	Product

Configurations

Configuration 1 (hide)

AND

OR	cpe:2.3:o:kapsch:ris-9160_firmware:3.2.0.829.23:::::::*
	cpe:2.3:o:kapsch:ris-9160_firmware:3.8.0.1119.42:::::::*
	cpe:2.3:o:kapsch:ris-9160_firmware:4.6.0.1211.28:::::::*

cpe:2.3:h:kapsch:ris-9160:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND

OR	cpe:2.3:o:kapsch:ris-9260_firmware:3.2.0.829.23:::::::*
	cpe:2.3:o:kapsch:ris-9260_firmware:3.8.0.1119.42:::::::*
	cpe:2.3:o:kapsch:ris-9260_firmware:4.6.0.1211.28:::::::*

cpe:2.3:h:kapsch:ris-9260:-:*:*:*:*:*:*:*

History

No history.

Information

Published : 2025-08-26 15:15

Updated : 2025-10-22 15:15

NVD link : CVE-2025-25732

Mitre link : CVE-2025-25732

CVE.ORG link : CVE-2025-25732

JSON object : View

Products Affected

kapsch

ris-9260_firmware
ris-9260
ris-9160_firmware
ris-9160

CWE

CWE-922

Insecure Storage of Sensitive Information

{"id": "CVE-2025-25732", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.8, "attackVector": "PHYSICAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 0.9}]}, "published": "2025-08-26T15:15:42.080", "references": [{"url": "https://cwe.mitre.org/data/definitions/922.html", "tags": ["Technical Description"], "source": "[email protected]"}, {"url": "https://phrack.org/issues/72/16_md", "tags": ["Exploit", "Third Party Advisory"], "source": "[email protected]"}, {"url": "https://www.kapsch.net/_Resources/Persistent/3d251a8445e0bf50093903ad70b3dbed34dec7e7/KTC-CVS_RIS-9260_DataSheet.pdf", "tags": ["Broken Link"], "source": "[email protected]"}, {"url": "https://www.kapsch.net/_Resources/Persistent/55fb8d0fb279262809eac88d457894db1b3efcd5/Kapsch_RIS-9160_Datasheet_EN.pdf", "tags": ["Product"], "source": "[email protected]"}, {"url": "https://www.kapsch.net/en", "tags": ["Product"], "source": "[email protected]"}, {"url": "https://www.kapsch.net/en/press/releases/ktc-20200813-pr-en", "tags": ["Product"], "source": "[email protected]"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-922"}]}], "descriptions": [{"lang": "en", "value": "Incorrect access control in the EEPROM component of Kapsch TrafficCom RIS-9160 & RIS-9260 Roadside Units (RSUs) v3.2.0.829.23, v3.8.0.1119.42, and v4.6.0.1211.28 allows attackers to replace password hashes stored in the EEPROM with hashes of their own, leading to the escalation of privileges to root."}, {"lang": "es", "value": "Un control de acceso incorrecto en el componente EEPROM de Kapsch TrafficCom RIS-9160 & RIS-9260 Roadside Units (RSUs) v3.2.0.829.23, v3.8.0.1119.42, y v4.6.0.1211.28 permite a los atacantes reemplazar los hashes de contrase\u00f1as almacenados en la EEPROM con sus propios hashes, lo que lleva a la escalada de privilegios a root."}], "lastModified": "2025-10-22T15:15:31.900", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:kapsch:ris-9160_firmware:3.2.0.829.23:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1385F53F-B8B3-460B-AF40-3E6C0373E56F"}, {"criteria": "cpe:2.3:o:kapsch:ris-9160_firmware:3.8.0.1119.42:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "89FBCE38-F618-4885-9A19-4387C26B0648"}, {"criteria": "cpe:2.3:o:kapsch:ris-9160_firmware:4.6.0.1211.28:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C5A25078-2E54-4458-B2A1-12B22BFE5BC9"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:kapsch:ris-9160:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "03950C43-60AC-46A7-8C69-BFFC24297EA9"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:kapsch:ris-9260_firmware:3.2.0.829.23:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A962F165-2FB7-4CD7-A316-0696668B8CC2"}, {"criteria": "cpe:2.3:o:kapsch:ris-9260_firmware:3.8.0.1119.42:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "98025B93-400E-435F-B1C1-EBFA2777E013"}, {"criteria": "cpe:2.3:o:kapsch:ris-9260_firmware:4.6.0.1211.28:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "221A418C-D55A-4A63-9711-CA8025C4C709"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:kapsch:ris-9260:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "6AB37525-44FC-456A-ACE1-0661BC9D0CFD"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "[email protected]"}