Radiometrics VizAir REST API Key Exposure Vulnerability Allowing Unauthorized Data Manipulation and Denial-of-Service

A vulnerability in Radiometrics VizAir prior to August 2025 allows for the exposure of the system's REST API key through a publicly accessible configuration file. This flaw enables attackers to remotely alter weather data and configurations, automate attacks across multiple instances, and extract sensitive meteorological information, potentially disrupting airport operations. The vulnerability also opens the door for flooding the system with false alerts, creating a denial-of-service condition that could lead to significant operational disruptions. Unauthorized control over aviation weather monitoring and data manipulation could result in incorrect flight planning and hazardous takeoff and landing conditions.

Impact

Exploitation of this vulnerability could allow for unauthorized access to the admin panel, enabling attackers to manipulate critical weather parameters and runway settings. This could mislead air traffic control and pilots, disrupt airport operations, and create hazardous flight conditions. Additionally, the vulnerability could be exploited to cause a denial-of-service condition by flooding the system with false alerts.

Remediation

Radiometrics has performed updates on all affected systems to resolve these vulnerabilities. No further action is needed on the user's end.