CVE-2025-41755 PUBLISHED

Arbitrary Read with ubr-logread

Assigner: CERTVDE
Reserved: 16.04.2025 Published: 09.03.2026 Updated: 09.03.2026

A low-privileged remote attacker can exploit the ubr-logread method in wwwubr.cgi to read arbitrary files on the system. The endpoint accepts a parameter specifying the log file to open (e.g., /tmp/weblog{some_number}), but this parameter is not properly validated, allowing an attacker to modify it to reference any file and retrieve its contents.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CVSS Score: 6.5

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	Low	Integrity Impact	None
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	MBS
Product	UBR-01 Mk II
Versions	Default: unaffected affected from 0.0.0 to 6.0.1.0 (excl.)

Vendor	MBS
Product	UBR-02
Versions	Default: unaffected affected from 0.0.0 to 6.0.1.0 (excl.)

Vendor	MBS
Product	UBR-LON
Versions	Default: unaffected affected from 0.0.0 to 6.0.1.0 (excl.)

Credits

Adrien Rey from Cyber Defense Campus Zurich finder
Daniel Hulliger from Armasuisse finder

References

https://www.mbs-solutions.de/mbs-2025-0001

Problem Types

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE