Critical Vulnerability Information Vulnerability Overview CVE ID: CVE-2025-47423 Discoverer: Matthew Eagle Status: Public Disclosure Report Date: 2025-05-05 Vulnerability Details Vulnerability Type: Local File Inclusion (LFI) Affected Component: Personal Weather Station Dashboard version 12_lts Affected File: /others/_test.php Vulnerable Parameter: test (via GET) Impact Remote attackers can: - Read arbitrary files on the filesystem - Expose private SSL keys (e.g., server.key) - Perform Man-in-the-Middle (MITM) attacks - Impersonate HTTPS servers CVSS Score: Critical (Base Score ~9.8) Proof of Concept (PoC) Vulnerable Code (Simplified) is insufficient to prevent directory traversal. Security Remediation Recommendations Use strict whitelisting to restrict inclusion targets Use to sanitize input and validate allowed files Avoid dynamic includes based on user input Timeline Mitigation Steps Immediately remove or update _test.php Implement fix scripts with file whitelisting Reissue any compromised TLS certificates References CVE-2025-47423 on MITRE (pending) Announcement published on GitHub Acknowledgments Vulnerability discovered and responsibly disclosed by Matthew Eagle Contact: meagle2006@gmail.com