CVE-2025-61939 HIGH

CVE-2025-61939: Columbia Weather Systems MicroServer Improper Restriction of Communication Channel to Intended Endpoints

Vendor Columbia Weather Systems
Product MicroServer
Weakness CWE-923
Published January 7, 2026
Last update January 7, 2026

CVSS base score

8.7/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

An unused function in MicroServer can start a reverse SSH connection to a vendor registered domain, without mutual authentication. An attacker on the local network with admin access to the web server, and the ability to manipulate DNS responses, can redirect the SSH connection to an attacker controlled device.

Key dates

02Disclosure timeline

January 7, 2026 CVE published
January 7, 2026 Record updated