CVE-2025-62193 Overview
CVE-2025-62193 is a critical command injection vulnerability affecting NOAA PMEL Live Access Server (LAS), a web-based application used for visualizing and accessing oceanographic and climate data. The vulnerability allows remote, unauthenticated attackers to execute arbitrary operating system commands on affected servers by crafting malicious requests containing PyFerret expressions with embedded SPAWN commands.
This vulnerability represents a severe security risk as it requires no authentication and can be exploited remotely over the network. The flaw exists in the request processing mechanism, specifically in the RequestInputFilter.java component, which fails to properly sanitize user-supplied Ferret expressions before processing them.
Critical Impact
Remote, unauthenticated attackers can achieve full system compromise by executing arbitrary OS commands through malicious PyFerret SPAWN expressions, potentially leading to data theft, system manipulation, or lateral movement within the network.
Affected Products
- NOAA PMEL Live Access Server (LAS) - versions prior to the 2025-09-24 fix
- Systems running unpatched gov.noaa.pmel.tmap.las.filter.RequestInputFilter.java
Discovery Timeline
- 2026-01-15 - CVE-2025-62193 published to NVD
- 2026-01-16 - Last updated in NVD database
Technical Details for CVE-2025-62193
Vulnerability Analysis
This vulnerability is classified under CWE-78 (Improper Neutralization of Special Elements used in an OS Command), commonly known as OS Command Injection. The flaw allows attackers to inject and execute arbitrary shell commands through the PyFerret expression handling mechanism in the Live Access Server.
The vulnerability exists because the application processes user-supplied Ferret expressions without proper validation or sanitization. PyFerret, a scientific analysis tool integrated with LAS, supports a SPAWN command that can execute arbitrary operating system commands. When combined with the lack of input filtering, this creates a direct path from user input to system command execution.
The attack surface is significant because LAS instances are typically deployed as publicly accessible web services for researchers and the general public to access oceanographic data. This public exposure, combined with the lack of authentication requirements, makes exploitation straightforward for attackers who identify vulnerable instances.
Root Cause
The root cause is the absence of input validation on Ferret expressions submitted through the request filter. The RequestInputFilter.java component processes XML requests containing a ferret/expression property without checking whether the expression contains dangerous commands like SPAWN. This allows attackers to inject arbitrary OS commands that are subsequently executed with the privileges of the web application server.
Attack Vector
An attacker can exploit this vulnerability by sending a specially crafted HTTP request to a vulnerable LAS instance. The request contains an XML payload with a malicious Ferret expression that includes a SPAWN command. When the server processes this request, the embedded OS command is executed without any authentication or authorization checks.
The attack flow is:
- Attacker identifies a publicly accessible LAS instance
- Attacker crafts an XML request containing a Ferret expression with an embedded SPAWN command
- The malicious request bypasses input validation in RequestInputFilter.java
- The SPAWN command executes arbitrary OS commands on the server
- Attacker gains remote code execution capabilities
The fix implemented in the security patch adds validation to reject any requests containing Ferret expressions:
// Security patch - Source: https://github.com/NOAA-PMEL/LAS/commit/e69afb1898ae7e69f3e047513fc1e5570373912b
if ( (requestXML != null && !requestXML.equals("")) ) {
try {
requestXML = JDOMUtils.decode(requestXML, "UTF-8");
+ String expression = lasRequest.getProperty("ferret", "expression");
+ if (!expression.isEmpty()) {
+ LASAction.logerror(request, "Ferret expressions are no longer allowed.", "");
+ response.sendError(404, "Ferret expressions are no longer allowed.");
+ return;
+ }
} catch (UnsupportedEncodingException e) {
LASAction.logerror(request, "Error decoding the XML request query string.", e);
response.sendError(HttpServletResponse.SC_NOT_FOUND, "Request contains an illegal xml query parameter value.");
Source: GitHub Commit Changes
Detection Methods for CVE-2025-62193
Indicators of Compromise
- Unusual HTTP requests to LAS endpoints containing ferret/expression parameters
- Server logs showing SPAWN commands or shell execution patterns in request XML
- Unexpected processes spawned by the Java web application server (Tomcat/Jetty)
- Outbound network connections from the LAS server to unknown destinations
- Anomalous file system modifications or new files created by the web server process
Detection Strategies
- Monitor web application logs for requests containing Ferret expressions or SPAWN keywords
- Implement web application firewall (WAF) rules to detect and block XML payloads with suspicious command patterns
- Enable process monitoring on LAS servers to detect unexpected child processes from Java/Tomcat
- Review access logs for unusual request patterns targeting LAS endpoints
- Deploy intrusion detection system (IDS) signatures for known command injection patterns
Monitoring Recommendations
- Configure alerting for any requests containing the string SPAWN in request bodies or parameters
- Monitor server resource utilization for anomalies indicating cryptominer or backdoor activity
- Implement network traffic analysis for unexpected outbound connections from LAS infrastructure
- Enable Java application security logging to capture detailed request processing events
How to Mitigate CVE-2025-62193
Immediate Actions Required
- Update NOAA PMEL Live Access Server to a version containing the fix from 2025-09-24 or later
- Review server logs for any indicators of prior exploitation attempts
- Restrict network access to LAS instances using firewall rules where possible
- Consider temporarily disabling the service if patching cannot be performed immediately
- Conduct incident response investigation if exploitation indicators are discovered
Patch Information
The vulnerability has been fixed in an updated version of gov.noaa.pmel.tmap.las.filter.RequestInputFilter.java released on 2025-09-24. The patch completely disables Ferret expression processing, returning a 404 error for any requests attempting to use this functionality. Organizations should obtain the patched version from the NOAA PMEL LAS GitHub repository and follow standard deployment procedures.
Relevant commits documenting the fix:
Additional information is available in the CISA CSAF Vulnerability Document.
Workarounds
- Deploy a web application firewall (WAF) with rules blocking requests containing Ferret expressions or SPAWN commands
- Use network segmentation to restrict access to LAS servers from untrusted networks
- Implement reverse proxy filtering to strip or block requests with suspicious XML payloads
- If Ferret expression functionality is not required, manually disable it by modifying the application configuration
# Example WAF rule concept for blocking suspicious requests
# Block requests containing SPAWN in the request body
# Implementation varies by WAF vendor
# Network-level mitigation: restrict LAS access to trusted IP ranges
iptables -A INPUT -p tcp --dport 8080 -s TRUSTED_NETWORK/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
