CVE-2025-41765

Critical CVSS: 9.1

Due to insufficient authorization enforcement, an unauthorized remote attacker can exploit the wwwupload.cgi endpoint to upload and apply arbitrary data. This includes, but is not limited to, contact images, HTTPS certificates, system backups for restoration, server peer configurations, and BACnet/SC server certificates and keys.

Vendor

Mbs-solutions

Product

Universal Bacnet Router Firmware

CWE

CWE-862

Yayın Tarihi

2026-03-09 09:16:00

Güncelleme

2026-03-11 18:27:29

Source Identifier

info@cert.vde.com

KEV Date Added

Kategoriler

CWE-862 Universal Bacnet Router Firmware CRITICAL Mbs-solutions 2026

Referanslar

https://www.mbs-solutions.de/mbs-2025-0001

Benzer Kayıtlar

High

CVE-2025-41766

A low-privileged remote attacker can trigger a stack-based buffer overflow via a crafted HTTP POST request using the ubr…

High

CVE-2025-41767

A high-privileged remote attacker can fully compromise the device by abusing an update signature bypass vulnerability in…

High

CVE-2025-41772

An unauthenticated remote attacker can obtain valid session tokens because they are exposed in plaintext within the URL…

Medium

CVE-2025-41760

An administrator may attempt to block all traffic by configuring a pass filter with an empty table. However, in UBR, an…

High

CVE-2025-41761

A low‑privileged local attacker who gains access to the UBR service account (e.g., via SSH) can escalate privileges to o…

Medium

CVE-2025-41762

An unauthenticated attacker can abuse the weak hash of the backup generated by the wwwdnload.cgi endpoint to gain unauth…