CVE-2025-66620 HIGH

CVE-2025-66620: Columbia Weather Systems MicroServer Command Shell in Externally Accessible Directory

Vendor Columbia Weather Systems
Product MicroServer
Weakness CWE-553
Published January 7, 2026
Last update January 7, 2026

CVSS base score

8.6/10
Attack vector Adjacent
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

An unused webshell in MicroServer allows unlimited login attempts, with sudo rights on certain files and directories. An attacker with admin access to MicroServer can gain limited shell access, enabling persistence through reverse shells, and the ability to modify or remove data stored in the file system.

Key dates

02Disclosure timeline

January 7, 2026 CVE published
January 7, 2026 Record updated