VA-26-015-01

Vulnerability from csaf_cisa - Published: 2026-01-15 19:59 - Updated: 2026-01-15 19:59
Summary
NOAA PMEL Live Access Server (LAS) command injection

Notes

Legal Notice
All information products included in [https://github.com/cisagov/CSAF/tree/develop/csaf_files/IT/white](https://github.com/cisagov/CSAF/tree/develop/csaf_files/IT/white) are provided \"as is\" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see [https://us-cert.cisa.gov/tlp/](https://us-cert.cisa.gov/tlp/).
Countries and Areas Deployed
Worldwide
Critical Infrastructure Sectors
Information Technology
Risk Evaluation
Sites running NOAA PMEL Live Access Server (LAS) are vulnerable to remote code execution via specially crafted requests that include PyFerret expressions. By leveraging a SPAWN command, a remote, unauthenticated attacker can execute arbitrary OS commands.
Recommended Practices
Fixed in a version of 'gov.noaa.pmel.tmap.las.filter.RequestInputFilter.java' from 2025-09-24. See updated LAS guidance here: https://github.com/NOAA-PMEL/LAS/blob/main/README.md
Company Headquarters Location
United States
To clipboard 

{
  "document": {
    "category": "csaf_vex",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE"
      }
    },
    "lang": "en-US",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "All information products included in [https://github.com/cisagov/CSAF/tree/develop/csaf_files/IT/white](https://github.com/cisagov/CSAF/tree/develop/csaf_files/IT/white) are provided \\\"as is\\\" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see [https://us-cert.cisa.gov/tlp/](https://us-cert.cisa.gov/tlp/).",
        "title": "Legal Notice"
      },
      {
        "category": "other",
        "text": "Worldwide",
        "title": "Countries and Areas Deployed"
      },
      {
        "category": "other",
        "text": "Information Technology",
        "title": "Critical Infrastructure Sectors"
      },
      {
        "category": "summary",
        "text": "Sites running NOAA PMEL Live Access Server (LAS) are vulnerable to remote code execution via specially crafted requests that include PyFerret expressions. By leveraging a SPAWN command, a remote, unauthenticated attacker can execute arbitrary OS commands.",
        "title": "Risk Evaluation"
      },
      {
        "category": "general",
        "text": "Fixed in a version of \u0027gov.noaa.pmel.tmap.las.filter.RequestInputFilter.java\u0027 from 2025-09-24. See updated LAS guidance here: https://github.com/NOAA-PMEL/LAS/blob/main/README.md",
        "title": "Recommended Practices"
      },
      {
        "category": "other",
        "text": "United States",
        "title": "Company Headquarters Location"
      }
    ],
    "publisher": {
      "category": "coordinator",
      "contact_details": "https://www.cisa.gov/report",
      "issuing_authority": "CISA",
      "name": "CISA",
      "namespace": "https://www.cisa.gov/"
    },
    "references": [
      {
        "category": "self",
        "summary": "Vulnerability Advisory VA-26-015-01 CSAF",
        "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-26-015-01.json"
      }
    ],
    "title": "NOAA PMEL Live Access Server (LAS) command injection",
    "tracking": {
      "current_release_date": "2026-01-15T19:59:37Z",
      "generator": {
        "engine": {
          "name": "VINCE-NT",
          "version": "1.11.0"
        }
      },
      "id": "VA-26-015-01",
      "initial_release_date": "2026-01-15T19:59:37Z",
      "revision_history": [
        {
          "date": "2026-01-15T19:59:37Z",
          "number": "1.0.0",
          "summary": "Initial publication"
        }
      ],
      "status": "final",
      "version": "1.0.0"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "8",
                "product": {
                  "name": "National Oceanic and Atmospheric Administration (NOAA) Live Access Server (LAS) 8",
                  "product_id": "CSAFPID-0001"
                }
              }
            ],
            "category": "product_name",
            "name": "Live Access Server (LAS)"
          }
        ],
        "category": "vendor",
        "name": "National Oceanic and Atmospheric Administration (NOAA)"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-62193",
      "cwe": {
        "id": "CWE-78",
        "name": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)"
      },
      "notes": [
        {
          "category": "summary",
          "text": "Sites running NOAA PMEL Live Access Server (LAS) are vulnerable to remote code execution via specially crafted requests that include PyFerret expressions. By leveraging a SPAWN command, a remote, unauthenticated attacker can execute arbitrary OS commands. Fixed in a version of \u0027gov.noaa.pmel.tmap.las.filter.RequestInputFilter.java\u0027  from 2025-09-24.",
          "title": "Description"
        },
        {
          "category": "details",
          "text": "SSVCv2/E:N/A:N/T:T/2025-09-22T16:49:07Z/",
          "title": "SSVC"
        }
      ],
      "product_status": {
        "fixed": [
          "CSAFPID-0001"
        ],
        "known_affected": [
          "CSAFPID-0001"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "github.com",
          "url": "https://github.com/NOAA-PMEL/LAS/tree/main"
        },
        {
          "category": "external",
          "summary": "github.com",
          "url": "https://github.com/NOAA-PMEL/LAS/blob/main/README.md"
        },
        {
          "category": "external",
          "summary": "www.cve.org",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-62193"
        },
        {
          "category": "external",
          "summary": "raw.githubusercontent.com",
          "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-26-015-01.json"
        },
        {
          "category": "external",
          "summary": "github.com",
          "url": "https://github.com/NOAA-PMEL/LAS/commit/de5f9237bfd4ac5085bcc49a6e30bbc9507ddb29"
        },
        {
          "category": "external",
          "summary": "github.com",
          "url": "https://github.com/NOAA-PMEL/LAS/commit/e69afb1898ae7e69f3e047513fc1e5570373912b"
        },
        {
          "category": "external",
          "summary": "github.com",
          "url": "https://github.com/NOAA-PMEL/LAS/compare/b4b7306..de5f923"
        }
      ],
      "release_date": "2026-01-15T00:00:00Z",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-01-15T00:00:00Z",
          "details": "Users running LAS 8 should apply the fix as described at https://github.com/NOAA-PMEL/LAS/blob/main/README.md, which involves a version of \u0027gov.noaa.pmel.tmap.las.filter.RequestInputFilter.java\u0027 from 2025-09-24.",
          "product_ids": [
            "CSAFPID-0001"
          ],
          "url": "https://github.com/NOAA-PMEL/LAS/blob/main/README.md"
        },
        {
          "category": "vendor_fix",
          "date": "2026-01-15T00:00:00Z",
          "details": "Users running LAS 8 should apply the fix as described at https://github.com/NOAA-PMEL/LAS/blob/main/README.md, which involves a version of \u0027gov.noaa.pmel.tmap.las.filter.RequestInputFilter.java\u0027 from 2025-09-24.",
          "product_ids": [
            "CSAFPID-0001"
          ],
          "url": "https://github.com/NOAA-PMEL/LAS/blob/main/README.md"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-0001"
          ]
        }
      ],
      "title": "NOAA PMEL Live Access Server (LAS) PyFerret command injection"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.