CVE-2025-41759 PUBLISHED

Use of wildcard (“*” or “all”) in Block list

Assigner: CERTVDE
Reserved: 16.04.2025 Published: 09.03.2026 Updated: 09.03.2026

An administrator may attempt to block all networks by specifying "*" or "all" as the network identifier. However, these values are not supported and do not trigger any validation error. Instead, they are silently interpreted as network 0 which results in no networks being blocked at all.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
CVSS Score: 4.9

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	High	Integrity Impact	None
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	MBS
Product	UBR-01 Mk II
Versions	Default: unaffected affected from 0.0.0 to 6.0.1.0 (excl.)

Vendor	MBS
Product	UBR-02
Versions	Default: unaffected affected from 0.0.0 to 6.0.1.0 (excl.)

Vendor	MBS
Product	UBR-LON
Versions	Default: unaffected affected from 0.0.0 to 6.0.1.0 (excl.)

Credits

Adrien Rey from Cyber Defense Campus Zurich finder
Daniel Hulliger from Armasuisse finder

References

https://www.mbs-solutions.de/mbs-2025-0001

Problem Types

CWE-636 Not Failing Securely ('Failing Open') CWE