{ "document": { "category": "csaf_vex", "csaf_version": "2.0", "lang": "en-US", "publisher": { "category": "coordinator", "contact_details": "https://www.cisa.gov/report", "issuing_authority": "CISA", "name": "CISA", "namespace": "https://www.cisa.gov/" }, "title": "NOAA PMEL Live Access Server (LAS) command injection", "tracking": { "current_release_date": "2026-01-15T19:59:37Z", "generator": { "engine": { "name": "VINCE-NT", "version": "1.11.0" } }, "id": "VA-26-015-01", "initial_release_date": "2026-01-15T19:59:37Z", "status": "final", "version": "1.0.0", "revision_history": [ { "number": "1.0.0", "summary": "Initial publication", "date": "2026-01-15T19:59:37Z" } ] }, "distribution": { "tlp": { "label": "WHITE" } }, "notes": [ { "text": "All information products included in [https://github.com/cisagov/CSAF/tree/develop/csaf_files/IT/white](https://github.com/cisagov/CSAF/tree/develop/csaf_files/IT/white) are provided \\\"as is\\\" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see [https://us-cert.cisa.gov/tlp/](https://us-cert.cisa.gov/tlp/).", "title": "Legal Notice", "category": "legal_disclaimer" }, { "text": "Worldwide", "title": "Countries and Areas Deployed", "category": "other" }, { "text": "Information Technology", "title": "Critical Infrastructure Sectors", "category": "other" }, { "text": "Sites running NOAA PMEL Live Access Server (LAS) are vulnerable to remote code execution via specially crafted requests that include PyFerret expressions. By leveraging a SPAWN command, a remote, unauthenticated attacker can execute arbitrary OS commands.", "title": "Risk Evaluation", "category": "summary" }, { "text": "Fixed in a version of 'gov.noaa.pmel.tmap.las.filter.RequestInputFilter.java' from 2025-09-24. See updated LAS guidance here: https://github.com/NOAA-PMEL/LAS/blob/main/README.md", "title": "Recommended Practices", "category": "general" }, { "text": "United States", "title": "Company Headquarters Location", "category": "other" } ], "references": [ { "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-26-015-01.json", "summary": "Vulnerability Advisory VA-26-015-01 CSAF", "category": "self" } ] }, "product_tree": { "branches": [ { "category": "vendor", "name": "National Oceanic and Atmospheric Administration (NOAA)", "branches": [ { "category": "product_name", "name": "Live Access Server (LAS)", "branches": [ { "category": "product_version", "name": "8", "product": { "name": "National Oceanic and Atmospheric Administration (NOAA) Live Access Server (LAS) 8", "product_id": "CSAFPID-0001" } } ] } ] } ] }, "vulnerabilities": [ { "cve": "CVE-2025-62193", "cwe": { "id": "CWE-78", "name": "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" }, "notes": [ { "category": "summary", "text": "Sites running NOAA PMEL Live Access Server (LAS) are vulnerable to remote code execution via specially crafted requests that include PyFerret expressions. By leveraging a SPAWN command, a remote, unauthenticated attacker can execute arbitrary OS commands. Fixed in a version of 'gov.noaa.pmel.tmap.las.filter.RequestInputFilter.java' from 2025-09-24.", "title": "Description" }, { "category": "details", "title": "SSVC", "text": "SSVCv2/E:N/A:N/T:T/2025-09-22T16:49:07Z/" } ], "title": "NOAA PMEL Live Access Server (LAS) PyFerret command injection", "product_status": { "known_affected": [ "CSAFPID-0001" ], "fixed": [ "CSAFPID-0001" ] }, "references": [ { "category": "external", "summary": "github.com", "url": "https://github.com/NOAA-PMEL/LAS/tree/main" }, { "category": "external", "summary": "github.com", "url": "https://github.com/NOAA-PMEL/LAS/blob/main/README.md" }, { "category": "external", "summary": "www.cve.org", "url": "https://www.cve.org/CVERecord?id=CVE-2025-62193" }, { "category": "external", "summary": "raw.githubusercontent.com", "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-26-015-01.json" }, { "category": "external", "summary": "github.com", "url": "https://github.com/NOAA-PMEL/LAS/commit/de5f9237bfd4ac5085bcc49a6e30bbc9507ddb29" }, { "category": "external", "summary": "github.com", "url": "https://github.com/NOAA-PMEL/LAS/commit/e69afb1898ae7e69f3e047513fc1e5570373912b" }, { "category": "external", "summary": "github.com", "url": "https://github.com/NOAA-PMEL/LAS/compare/b4b7306..de5f923" } ], "scores": [ { "cvss_v3": { "baseScore": 9.8, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "remediations": [ { "category": "vendor_fix", "details": "Users running LAS 8 should apply the fix as described at https://github.com/NOAA-PMEL/LAS/blob/main/README.md, which involves a version of 'gov.noaa.pmel.tmap.las.filter.RequestInputFilter.java' from 2025-09-24.", "url": "https://github.com/NOAA-PMEL/LAS/blob/main/README.md", "product_ids": [ "CSAFPID-0001" ], "date": "2026-01-15T00:00:00Z" }, { "category": "vendor_fix", "details": "Users running LAS 8 should apply the fix as described at https://github.com/NOAA-PMEL/LAS/blob/main/README.md, which involves a version of 'gov.noaa.pmel.tmap.las.filter.RequestInputFilter.java' from 2025-09-24.", "url": "https://github.com/NOAA-PMEL/LAS/blob/main/README.md", "product_ids": [ "CSAFPID-0001" ], "date": "2026-01-15T00:00:00Z" } ], "release_date": "2026-01-15T00:00:00Z" } ] }