PatchSiren cyber security CVE debrief
CVE-2025-66620 Columbia Weather Systems CVE debrief
CVE-2025-66620 is a Columbia Weather Systems MicroServer firmware issue disclosed by CISA on 2026-01-06. CISA describes an unused webshell that permits unlimited login attempts; with admin access, an attacker may obtain limited shell access, persist via reverse shells, and modify or remove files on the device.
- Vendor
- Columbia Weather Systems
- Product
- MicroServer firmware
- CVSS
- HIGH 8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-01-06
- Original CVE updated
- 2026-01-06
- Advisory published
- 2026-01-06
- Advisory updated
- 2026-01-06
Who should care
Organizations operating Columbia Weather Systems MicroServer firmware, especially teams responsible for embedded or industrial/OT environments and anyone managing admin access to these devices.
Technical summary
According to the CISA CSAF advisory, the MicroServer contains an unused webshell that allows unlimited login attempts and has sudo rights on certain files and directories. The advisory says an attacker with admin access to the MicroServer can gain limited shell access, enabling persistence via reverse shells and the ability to modify or remove data stored in the filesystem. The published CVSS vector is AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, which indicates high impact but also that elevated privileges and adjacent-network conditions are part of the stated attack context.
Defensive priority
High. The impact is severe for confidentiality, integrity, and availability, and CISA published a vendor fix. The issue is not described as requiring public exploitation or being KEV-listed, but affected firmware should still be prioritized for upgrade because the downside includes persistence and filesystem tampering.
Recommended defensive actions
- Update MicroServer firmware to version MS_4.1_14142 or later, per Columbia Weather Systems guidance.
- If immediate updating is not possible, restrict and closely monitor administrative access to the MicroServer.
- Review device exposure and limit adjacent-network access paths to the firmware management interface.
- Validate filesystem integrity and look for unauthorized changes on affected systems.
- Follow CISA industrial control system recommended practices and defense-in-depth guidance for segmentation, access control, and monitoring.
Evidence notes
All statements are derived from the supplied CISA CSAF source item and the official reference links included in the corpus. The advisory revision history shows initial publication and a same-day revision that updated risk evaluation, research acknowledgment, and vendor mitigations. No exploit code or unverified exploitation details are included.
Official resources
-
CVE-2025-66620 CVE record
CVE.org
-
CVE-2025-66620 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published the advisory on 2026-01-06, matching the CVE published and modified timestamps supplied in the corpus. The advisory revision history shows an initial publication and a same-day revision; those dates should be treated as the c