Security Advisory: Remote Command Execution on Smartbedded MeteoBridge (CVE-2025-4008)

Introduction

As you may know, we recently introduced bash static code analysis to the ONEKEY platform. If you did not, we encourage you to read our introductory article.

To validate our rulesets, we ran that analysis step on our firmware corpus and picked up a command injection vulnerability in MeteoBridge, which is:

a small device that connects your personal weather station to public weather networks like "Weather Underground". This allows you to feed your micro climate data to a weather network in the Internet and to have it there visible from wherever you are. All you need is Internet access, to reach the weather networks's web pages, where you can inspect your current and historical data. By that you can also share your weather data with friends and you are actively participating in a large network of weather enthusiasts who also share their weather observations with you.

You'll find details about this vulnerability below, including an authentication "bypass" and proof-of-concept.

Remote Unauthenticated Code Execution

Summary

The Meteobridge web interface let meteobridge administrator manage their weather station data collection and administer their meteobridge system through a web application written in CGI shell scripts and C.

This web interface exposes an endpoint that is vulnerable to command injection.

Impact

Remote unauthenticated attackers can gain arbitrary command execution with elevated privileges ( root ) on affected devices.

These devices pops up on the Internet, with between 130 and 70 devices at any given time according to Shodan historical trend data. So while we set the attack vector to "adjacent" on our CVSS, please be aware that these are sometimes exposed to everyone.

As the MeteoBridge maintainer says in the advisory:

Please let me remind that exposing your Meteobridge to the Internet is NOT recommended, as this is the precondition for exploiting any security vulnerability.

Description

‍

The web interface expose a template.cgi through /cgi-bin/template.cgi . This CGI shell script is vulnerable to command injection due to insecure use of eval calls.

Specifically, user controlled input ( $QUERY_STRING ) is parsed and is used unsanitized in an eval call. This is reflected in code snippet below:

This can be exploited by sending a request with curl, like this:

Furthermore, this vulnerability can be exploited by unauthenticated attackers thanks to an authentication bypass.

Authentication is enforced by uhttpd , which takes its configuration from /etc/httpd.conf . The file contains the following entries:

As we can see, cgi-bin, exports, charts, and backup are protected and require basic authentication with meteobridge credentials. However, the affected CGI script is also available in the public directory which is itself unprotected.

Unauthenticated exploitation can be achieved with this curl command, this time adjusted so the output of the command is visible in the response:

Remote exploitation through malicious webpage is also possible since it's a GET request without any kind of custom header or token parameter. Just send a link to your victim and create img tags with the src set to 'http://subnet.a/public/template.cgi?templatefile=$(command)'.

Key Takeaways

• Automated Bash Static Analysis in Action: ONEKEY’s new bash static code analysis feature immediately proved its worth by uncovering a critical command injection flaw in the MeteoBridge CGI shell scripts.
• High-Severity, Remote Root Takeover: The vulnerability allows unauthenticated attackers to execute arbitrary commands as root—demonstrating the real-world impact of undetected shell-script issues in firmware.
• Proactive, Responsible Disclosure: ONEKEY’s coordinated vulnerability disclosure (CVD) process engaged MeteoBridge and the German BSI, resulting in patches in version 6.2—highlighting the importance of a structured disclosure timeline.
• Enhance Your Firmware Security Posture: ONEKEY’s platform automates detection of shell script vulnerabilities across your firmware corpus, cutting risk and response time—empowering you to stay ahead of emerging threats.

Timeline

• 25/02/2025 - ONEKEY sends a notification email to info@smartbedded.com
• 18/03/2025 - ONEKEY sends a notification email to info@smartbedded.com
• 10/04/2025 - ONEKEY sends a notification email to info@smartbedded.com
• 10/04/2025 - ONEKEY posts a message on MeteoBridge support forum
• 11/04/2025 - MeteoBridge support forum administrator deletes the forum post and ONEKEY forum account
• 15/04/2025 - ONEKEY sends a notification email to info@smartbedded.com, mentioning the forum post
• 27/04/2025 - ONEKEY notifies the German BSI through its CVD email
• 13/05/2025 - Smartbedded publish an advisory at https://forum.meteohub.de/viewtopic.php?t=18687
• 14/05/2025 - Smartbedded notifies the German BSI of a patch being available (version 6.2)
• 26/05/2025 - Publication of Security Advisory

‍