CVE-2025-61939 Columbia Weather Systems CVE debrief

Who should care

Columbia Weather Systems MicroServer firmware owners, industrial control system operators, and administrators responsible for the device's web interface, remote access, or network DNS controls.

Technical summary

The advisory describes an unused MicroServer function that can initiate a reverse SSH connection to a vendor-registered domain. Because the connection lacks mutual authentication, an attacker who meets the stated preconditions—local-network access, admin access to the web server, and the ability to manipulate DNS responses—could redirect the SSH connection to a device they control.

Defensive priority

High. The advisory rates the issue CVSS 8.8, and the potential impact is significant, but the exposure is not universal: the attacker needs local-network presence, administrative access to the web server, and DNS manipulation capability.

Recommended defensive actions

• Update MicroServer firmware to MS_4.1_14142 or later, as recommended by Columbia Weather Systems.
• Contact Columbia Weather Systems Support directly at [email protected] or 503-629-0887 to obtain the update and apply it through the vendor process.
• Restrict administrative access to the MicroServer web server and segment the device on trusted management networks.
• Protect DNS responses and management-plane name resolution from spoofing or unauthorized changes.
• Follow CISA industrial control system recommended practices for access control, segmentation, and monitoring around the device.

Evidence notes

This debrief is based on the CISA CSAF advisory ICSA-26-006-01 for CVE-2025-61939 and its revision history, which records an initial publication and a same-day revision updating risk evaluation, research acknowledgment, and vendor mitigations. The source corpus does not indicate a KEV listing or ransomware use.

Official resources