CVE-2025-25733
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-08-26

Last updated on: 2025-10-22

Assigner: MITRE

Description
Incorrect access control in the SPI Flash Chip of Kapsch TrafficCom RIS-9160 & RIS-9260 Roadside Units (RSUs) v3.2.0.829.23, v3.8.0.1119.42, and v4.6.0.1211.28 allows physically proximate attackers to arbitrarily modify SPI flash regions, leading to a degradation of the security posture of the device.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-08-26
Last Modified
2025-10-22
Generated
2026-06-16
AI Q&A
2025-08-26
EPSS Evaluated
2026-06-15
NVD
CVE-2025-25733
EUVD
EUVD-2025-25800
Affected Vendors & Products
Showing 8 associated CPEs
Vendor Product Version / Range
kapsch ris-9160_firmware 3.2.0.829.23
kapsch ris-9160_firmware 3.8.0.1119.42
kapsch ris-9160_firmware 4.6.0.1211.28
kapsch ris-9160 *
kapsch ris-9260_firmware 3.2.0.829.23
kapsch ris-9260_firmware 3.8.0.1119.42
kapsch ris-9260_firmware 4.6.0.1211.28
kapsch ris-9260 *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1233 The product uses a register lock bit protection mechanism, but it does not ensure that the lock bit prevents modification of system registers or controls that perform changes to important hardware system configuration.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is an incorrect access control issue in the SPI Flash Chip of Kapsch TrafficCom RIS-9160 and RIS-9260 Roadside Units. It allows attackers who are physically close to the device to arbitrarily modify SPI flash memory regions. This unauthorized modification can degrade the security posture of the device by potentially altering critical system configurations stored in the SPI flash.

Impact Analysis

The vulnerability allows physically proximate attackers to modify the SPI flash memory arbitrarily, which can lead to a degradation of the device's security. This could result in unauthorized changes to system behavior, potentially compromising the stability and security of the roadside units, which may affect the safety and reliability of traffic management systems relying on these devices.

Detection Guidance

Detection of this vulnerability involves manual analysis by setting the lock bit on the SPI Flash Chip and attempting to modify the protected SPI flash regions. If modification is possible despite the lock bit being set, the vulnerability exists. Specific commands are not provided in the available resources. [2]

Mitigation Strategies

Immediate mitigation steps include reviewing the lock bit design for inconsistencies and weaknesses, and performing rigorous testing of lock programming flows both before and after silicon production to ensure effective protection. Physical security measures to prevent proximate attackers from accessing the device may also help reduce risk. No specific patch or configuration steps are detailed in the provided resources. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-25733. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart