CVE-2025-41765 PUBLISHED

Unchecked role in wwwupload.cgi

Assigner: CERTVDE
Reserved: 16.04.2025 Published: 09.03.2026 Updated: 09.03.2026

Due to insufficient authorization enforcement, an unauthorized remote attacker can exploit the wwwupload.cgi endpoint to upload and apply arbitrary data. This includes, but is not limited to, contact images, HTTPS certificates, system backups for restoration, server peer configurations, and BACnet/SC server certificates and keys.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
CVSS Score: 9.1

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	None
Privileges Required	None	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	MBS
Product	UBR-01 Mk II
Versions	Default: unaffected affected from 0.0.0 to 6.0.1.0 (excl.)

Vendor	MBS
Product	UBR-02
Versions	Default: unaffected affected from 0.0.0 to 6.0.1.0 (excl.)

Vendor	MBS
Product	UBR-LON
Versions	Default: unaffected affected from 0.0.0 to 6.0.1.0 (excl.)

Credits

Adrien Rey from Cyber Defense Campus Zurich finder
Daniel Hulliger from Armasuisse finder

References

https://www.mbs-solutions.de/mbs-2025-0001

Problem Types

CWE-862 Missing Authorization CWE