CVE-2025-41764 PUBLISHED

Unchecked role in wwwupdate.cgi

Assigner: CERTVDE
Reserved: 16.04.2025 Published: 09.03.2026 Updated: 09.03.2026

Due to insufficient authorization enforcement, an unauthorized remote attacker can exploit the wwwupdate.cgi endpoint to upload and apply arbitrary updates.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
CVSS Score: 9.1

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	None
Privileges Required	None	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	MBS
Product	UBR-01 Mk II
Versions	Default: unaffected affected from 0.0.0 to 6.0.1.0 (excl.)

Vendor	MBS
Product	UBR-02
Versions	Default: unaffected affected from 0.0.0 to 6.0.1.0 (excl.)

Vendor	MBS
Product	UBR-LON
Versions	Default: unaffected affected from 0.0.0 to 6.0.1.0 (excl.)

Credits

Adrien Rey from Cyber Defense Campus Zurich finder
Daniel Hulliger from Armasuisse finder

References

https://www.mbs-solutions.de/mbs-2025-0001

Problem Types

CWE-862 Missing Authorization CWE