CVE-2025-62193

9.8 CRITICAL
Published: January 15, 2026 Modified: January 16, 2026
View on NVD

Description

Sites running NOAA PMEL Live Access Server (LAS) are vulnerable to remote code execution via specially crafted requests that include PyFerret expressions. By leveraging a SPAWN command, a remote, unauthenticated attacker can execute arbitrary OS commands. Fixed in a version of 'gov.noaa.pmel.tmap.las.filter.RequestInputFilter.java' from 2025-09-24.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://github.com/NOAA-PMEL/LAS/blob/main/README.md
Source: 9119a7d8-5eab-497f-8521-727c672e3725
https://github.com/NOAA-PMEL/LAS/commit/de5f9237bfd4ac5085bcc49a6e30bbc9507ddb29
Source: 9119a7d8-5eab-497f-8521-727c672e3725
https://github.com/NOAA-PMEL/LAS/commit/e69afb1898ae7e69f3e047513fc1e5570373912b
Source: 9119a7d8-5eab-497f-8521-727c672e3725
https://github.com/NOAA-PMEL/LAS/compare/b4b7306..de5f923
Source: 9119a7d8-5eab-497f-8521-727c672e3725
https://github.com/NOAA-PMEL/LAS/tree/main
Source: 9119a7d8-5eab-497f-8521-727c672e3725
https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-26-015-01.json
Source: 9119a7d8-5eab-497f-8521-727c672e3725
https://www.cve.org/CVERecord?id=CVE-2025-62193
Source: 9119a7d8-5eab-497f-8521-727c672e3725

7 reference(s) from NVD

Quick Stats

CVSS v3 Score
9.8 / 10.0
EPSS (Exploit Probability)
0.3%
52th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-78

Related CVEs

CVE-2026-4302 7.2
CVE-2026-32899 4.3
CVE-2026-32898 5.4
CVE-2026-32897 3.7
CVE-2026-32896 4.8