Security Advisory ISEC-2024-001: Remote Code Execution vulnerability in the Product Delivery Service (PDS) - CVE-2025-XXXX

Summary

A security vulnerability has been identified in the Visual Weather's Product Delivery Service (PDS) when using Message Editor Output Filters in specific server configurations. An attacker can exploit this vulnerability to send unauthenticated requests to execute the IPDS pipeline with specially crafted Form Properties, enabling remote execution of arbitrary Python code.

This vulnerability could lead to a complete compromise of the affected server, particularly if Visual Weather services are run under a privileged user account—contrary to the documented installation best practices.

Affected Products and Versions

This vulnerability affects the following versions of Visual Weather and derived products (Aero Weather, Satellite Weather):

• Visual Weather 8.6.0
• Visual Weather 8.2.5
• Visual Weather 7.3.9
• Visual Weather 7.3.10
• Visual Weather 7.3.6 (Enterprise Build)
• Visual Weather 8.5.2 (Enterprise Build)
• Derived products (NAMIS, Aero Weather, Satellite Weather) (same versions as listed above)

Impact and Severity

• Impact: Remote Code Execution (RCE), Full Server Compromise in case of misconfiguration
• CVSS Score: 8.1 High (Base Score) 7.5 High (Overall CVSS Score), [AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C/CR:H/IR:H/AR:H/MAV:N/MAC:H/MPR:N/MUI:N/MS:U/MC:H/MI:H/MA:H]

An attacker leveraging this vulnerability could execute arbitrary Python code and potentially gain unauthorized control of the server.

Vulnerability Details

The vulnerability is triggered in server configurations where the PDS pipeline utilizes the IPDS pipeline with Message Editor Output Filters enabled. Attackers can craft malicious requests with specific Form Properties and thus achieving remove code execution.

Remediation

Immediate Action Required:

• Update: Upgrade to the patched versions (forthcoming or consult vendor support).
• Temporary Mitigation:
  1. Disable PDS pipelines utilizing IPDS pipelines in server configurations.
  2. Enforce installation best practices by ensuring Visual Weather services are not run under a privileged user account.
  3. Restrict network access to the PDS pipeline endpoint to trusted IP ranges only.

Note: Contact IBL Support Team for recommended security guidelines and hardening server configurations to minimise potential exposure to this vulnerability.

Acknowledgments

This issue was identified and reported by Ianis BERNARD (NCIA), and we thank all parties involved in securing affected systems.

References

• Published CVE Record