MBS-2025-0001: Several security vulnerabilities in the UBR web GUI have been fixed

Publisher: MBS GmbHDocument category: csaf_security_advisoryInitial release date: 2025-11-28T11:00:00.000ZEngine: Secvisogram 2.5.41Current release date: 2025-11-28T11:00:00.000ZBuild Date: 2025-12-17T12:15:11.641ZCurrent version: 1.0.0Status: draftCVSSv3.1 Base Score: 8.8Severity: HighOriginal language: Language: en-USAlso referred to: #{[TODO][MUST]First alias must be VDE-ID, more aliases are optional}#${vde_id=VDE-0815-4711}$

Summary

Several vulnerabilities have been reported in the UBR firmware.

General Recommendation

Please install the new firmware version V6.0.1.0 for the UBR immediately.

impact

// Describe overall (impact of) the vulnerabilities. //

mitigation

Please install the new firmware version V6.0.1.0 for the UBR immediately.

remediation

Please install the new firmware version V6.0.1.0 for the UBR immediately.

Product Description

The MBS Universal BACnet Routers serve to connect BACnet networks of different technologies. They support current BACnet revision 22, supporting BACnet/IP, BACnet Ethernet, BACnet MS/TP, and BACnet/LonTalk.

The firmware version of the Universal BACnet Routers exists in two different versions, e.g., 32 MB RAM | UBR-MICRO7 21.2.1 and 64 MB RAM | UBR-MICRO7 21.3.1

Product groups

Fixed products.

  • Firmware UBR (32 MB)

  • Firmware UBR (64 MB)

Vulnerabilities

Arbitrary read with ubr-editfile (CVE-2025-41754)

Impact(operational management and system administrators)

An adversary with a user account can read any file on the system. He can then, among other things:

− Read /etc/shadow and attempt to recover the service password to ssh to the machine

− Read the web interface credentials in /ubr/config/user.cfg and try to recover their passwords

− Read the private key of the https server (/ubr/etc/certs/httpd.pem) or the BACnet/SC service (/ubr/etc/certs/1_srvr-pkey.pem).

Vulnerability Description(all)

The ubr-editfile method in wwwubr.cgi is an unused undocumented API endpoint, probably leftover from an old version, that allows arbitrary read access to the entire file system.

CWE:CWE-863:Incorrect Authorization

Product status

Known affected

ProductCVSS VectorCVSS Base ScoreFirmware UBR (32 MB)CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N6.5Firmware UBR (64 MB)CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N6.5

Fixed

  • Firmware UBR (32 MB) installed on UBR-01 Mk II

  • Firmware UBR (64 MB) installed on UBR-01 Mk II

  • Firmware UBR (32 MB) installed on UBR-02

  • Firmware UBR (64 MB) installed on UBR-02

  • Firmware UBR (32 MB) installed on UBR-LON

  • Firmware UBR (64 MB) installed on UBR-LON

Remediations

Vendor fix (November 5, 2025, 11:00 a.m.)

MBS GmbH has officially released a new UBR firmware version V6.0.1.0 that fixes the described vulnerability.

For more details, please check the release notes on our website.

For groups:

  • Fixed products.

https://en.mbs-solutions.de/firmwareupdate-router

Acknowledgments

  • Adrien Rey from Cyber Defense Campus Zurich for reporting the vulnerability to the vendor.

References

Arbitrary read with ubr-logread (CVE-2025-41755)

impact

An adversary with a user account can read any file on the system. He can then, among other things:

− Read /etc/shadow and attempt to recover the service password to ssh to the machine

− Read the web interface credentials in /ubr/config/user.cfg and try to recover their passwords

− Read the private key of the https server (/ubr/etc/certs/httpd.pem) or the BACnet/SC service (/ubr/etc/certs/1_srvr-pkey.pem).

Vulnerability Description

The ubr-logread method in wwwubr.cgi retrieves the content of a log file (/tmp/weblog{some_number}). Unfortunately, the log file to be opened is specified as a parameter in the request and can then be changed to any arbitrary file to be retrieved.

CWE:CWE-20:Improper Input Validation

Product status

Known affected

ProductCVSS VectorCVSS Base ScoreFirmware UBR (32 MB)CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N5.7Firmware UBR (64 MB)CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N5.7

Fixed

  • Firmware UBR (32 MB) installed on UBR-01 Mk II

  • Firmware UBR (64 MB) installed on UBR-01 Mk II

  • Firmware UBR (32 MB) installed on UBR-02

  • Firmware UBR (64 MB) installed on UBR-02

  • Firmware UBR (32 MB) installed on UBR-LON

  • Firmware UBR (64 MB) installed on UBR-LON

Remediations

Vendor fix (November 5, 2025, 11:00 a.m.)

MBS GmbH has officially released a new UBR firmware version V6.0.1.0 that fixes the described vulnerability.

For groups:

  • Fixed products.

https://en.mbs-solutions.de/firmwareupdate-router

Acknowledgments

  • Adrien Rey from Cyber Defense Campus Zurich for reporting the vulnerability to the vendor.

References

Arbitrary write with ubr-editfile (CVE-2025-41756)

impact

The attacker has full control over the file system. It can:

- Overwrite any file

− Replace existing scripts with malicious ones that will eventually be run

− Change password with its own (web interface and ssh one)

− Modify any configuration file (web, BACnet, ssh, network, ...)

− Open or remove network filters

− ...

Vulnerability Description

The ubr-editfile method in wwwubr.cgi is an unused undocumented API endpoint, probably leftover from an old version, that allows arbitrary writing to the entire file system.

CWE:CWE-912:Hidden Functionality

Product status

Known affected

ProductCVSS VectorCVSS Base ScoreFirmware UBR (32 MB)CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H8Firmware UBR (64 MB)CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H8

Fixed

  • Firmware UBR (32 MB) installed on UBR-01 Mk II

  • Firmware UBR (64 MB) installed on UBR-01 Mk II

  • Firmware UBR (32 MB) installed on UBR-02

  • Firmware UBR (64 MB) installed on UBR-02

  • Firmware UBR (32 MB) installed on UBR-LON

  • Firmware UBR (64 MB) installed on UBR-LON

Remediations

Vendor fix (November 5, 2025, 11:00 a.m.)

MBS GmbH has officially released a new UBR firmware version V6.0.1.0 that fixes the described vulnerability.

For more details, please check the release notes on our website.

For groups:

  • Fixed products.

https://en.mbs-solutions.de/firmwareupdate-router

Acknowledgments

  • Adrien Rey from Cyber Defense Campus Zurich for reporting the vulnerability to the vendor.

References

Arbitrary write with ubr-restore (CVE-2025-41757)

impact

The attacker has full control over the file system. It can:

- Overwrite any file

− Replace existing scripts with malicious ones that will eventually be run

− Change password with its own (web interface and ssh one)

− Modify any configuration file (web, BACnet, ssh, network, ...)

− Open or remove network filters

− ...

Vulnerability Description

When restoring a backup as a user, do not check which files are contained in the backup archive. It is then possible to create a file anywhere on the system and to overwrite any existing files.

CWE:CWE-20:Improper Input Validation

Product status

Known affected

ProductCVSS VectorCVSS Base ScoreFirmware UBR (32 MB)CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H7.1Firmware UBR (64 MB)CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H7.1

Fixed

  • Firmware UBR (32 MB) installed on UBR-01 Mk II

  • Firmware UBR (64 MB) installed on UBR-01 Mk II

  • Firmware UBR (32 MB) installed on UBR-02

  • Firmware UBR (64 MB) installed on UBR-02

  • Firmware UBR (32 MB) installed on UBR-LON

  • Firmware UBR (64 MB) installed on UBR-LON

Remediations

Vendor fix (November 5, 2025, 11:00 a.m.)

MBS GmbH has officially released a new UBR firmware version V6.0.1.0 that fixes the described vulnerability.

For more details, please check the release notes on our website.

For groups:

  • Fixed products.

https://en.mbs-solutions.de/firmwareupdate-router

Acknowledgments

  • Adrien Rey from Cyber Defense Campus Zurich for reporting the vulnerability to the vendor.

References

Arbitrary write with wwwupload.cgi (CVE-2025-41758)

impact

With the path traversal vulnerability, an attacker has full control over the file system. They can:

- Overwrite any file

− Replace existing scripts with malicious ones that will eventually be run

− Change password with its own (web interface and ssh one)

− Modify any configuration file (web, BACnet, ssh, network, ...)

− Open or remove network filters

− ...

Vulnerability Description

This API can be used to upload pictures to the details tab. It has a file parameter that is normally either contact1.png or contact2.png (this is set by the JavaScript code of the webpage and not by the user). If this is the case, the file is uploaded to /uxx/http/html/config. However, it appears that an unused feature remains in the code (probably from an old version) and if the name is not one of the two (changed manually in the request parameter), the file will be uploaded to /ubr/config. This allows the attacker to overwrite any file in this folder. Furthermore, the code of wwupload appears to have some sanitization for the "/" character. But instead of correctly sanitizing the path and canceling the request, it will just upload the file in /uxx/httpd/html/config. This allows a path traversal, and it is then feasible to overwrite any file on the device.

CWE:CWE-20:Improper Input Validation

Product status

Known affected

ProductCVSS VectorCVSS Base ScoreFirmware UBR (32 MB)CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H7.1Firmware UBR (64 MB)CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H7.1

Fixed

  • Firmware UBR (32 MB) installed on UBR-01 Mk II

  • Firmware UBR (64 MB) installed on UBR-01 Mk II

  • Firmware UBR (32 MB) installed on UBR-02

  • Firmware UBR (64 MB) installed on UBR-02

  • Firmware UBR (32 MB) installed on UBR-LON

  • Firmware UBR (64 MB) installed on UBR-LON

Remediations

Vendor fix (November 5, 2025, 11:00 a.m.)

MBS GmbH has officially released a new UBR firmware version V6.0.1.0 that fixes the described vulnerability.

For more details, please check the release notes on our website.

For groups:

  • Fixed products.

https://en.mbs-solutions.de/firmwareupdate-router

Acknowledgments

  • Adrien Rey from Cyber Defense Campus Zurich for reporting the vulnerability to the vendor.

References

Use of wildcard (“*” or “all”) in block list (CVE-2025-41759)

impact

This results in a situation where the intended block list is ineffective, the network remains accessible, even if from the installer's point of view everything is blocked.

Vulnerability Description

An administrator might configure the block list using"" or "all" as the network number to block all networks. In fact, the use of ""or "all" is not supported, but sadly does not raise any error for the administrator. When these are used, they are internally converted to network 0, which means no networks are blocked.

CWE:CWE-20:Improper Input Validation

Product status

Known affected

ProductCVSS VectorCVSS Base ScoreFirmware UBR (32 MB)CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N5.7Firmware UBR (64 MB)CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N5.7

Fixed

  • Firmware UBR (32 MB) installed on UBR-01 Mk II

  • Firmware UBR (64 MB) installed on UBR-01 Mk II

  • Firmware UBR (32 MB) installed on UBR-02

  • Firmware UBR (64 MB) installed on UBR-02

  • Firmware UBR (32 MB) installed on UBR-LON

  • Firmware UBR (64 MB) installed on UBR-LON

Remediations

Vendor fix (November 5, 2025, 11:00 a.m.)

MBS GmbH has officially released a new UBR firmware version V6.0.1.0 that fixes the described vulnerability.

For more details, please check the release notes on our website.

For groups:

  • Fixed products.

https://en.mbs-solutions.de/firmwareupdate-router

Acknowledgments

  • Adrien Rey from Cyber Defense Campus Zurich for reporting the vulnerability to the vendor.

References

Pass filter with empty table (CVE-2025-41760)

impact

This misconfiguration could lead to unauthorized access as the network traffic from every network is still allowed to pass through, even if from the installer's point of view everything is blocked.

Vulnerability Description

The use of a Pass filter with an empty table is normally configured on the assumption that it would block all traffic, securing the system. In practice on this device, an empty pass list has no effect on network traffic, as it does not block any connections.

CWE:CWE-1059:Insufficient Technical Documentation

Product status

Known affected

ProductCVSS VectorCVSS Base ScoreFirmware UBR (32 MB)CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N5.7Firmware UBR (64 MB)CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N5.7

Fixed

  • Firmware UBR (32 MB) installed on UBR-01 Mk II

  • Firmware UBR (64 MB) installed on UBR-01 Mk II

  • Firmware UBR (32 MB) installed on UBR-02

  • Firmware UBR (64 MB) installed on UBR-02

  • Firmware UBR (32 MB) installed on UBR-LON

  • Firmware UBR (64 MB) installed on UBR-LON

Remediations

Vendor fix (November 5, 2025, 11:00 a.m.)

MBS GmbH has officially released a new UBR firmware version V6.0.1.0 that fixes the described vulnerability.

For more details, please check the release notes on our website.

For groups:

  • Fixed products.

https://en.mbs-solutions.de/firmwareupdate-router

Acknowledgments

  • Adrien Rey from Cyber Defense Campus Zurich for reporting the vulnerability to the vendor.

References

Privilege escalation possible (CVE-2025-41761)

impact

Attackers with access to the service account (for example, via SSH) can leverage this to gain full privileges on the machine.

Vulnerability Description

Privilege escalation refers to the process of gaining higher-level privileges, typically root access, allowing an attacker to perform unauthorized actions. When sudo is improperly configured to allow execution of certain binaries, it can be exploited by an attacker to escalate their access to higher privileges potentially compromising the entire system.

Of the binaries that the service account is permitted to execute with sudo, two of them—tcpdump and ip—allow for privilege escalation.

CWE:CWE-269: Improper Privilege Management

Product status

Known affected

ProductCVSS VectorCVSS Base ScoreFirmware UBR (32 MB)CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H8Firmware UBR (64 MB)CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H8

Fixed

  • Firmware UBR (32 MB) installed on UBR-01 Mk II

  • Firmware UBR (64 MB) installed on UBR-01 Mk II

  • Firmware UBR (32 MB) installed on UBR-02

  • Firmware UBR (64 MB) installed on UBR-02

  • Firmware UBR (32 MB) installed on UBR-LON

  • Firmware UBR (64 MB) installed on UBR-LON

Remediations

Vendor fix (November 5, 2025, 11:00 a.m.)

MBS GmbH has officially released a new UBR firmware version V6.0.1.0 that fixes the described vulnerability.

For more details, please check the release notes on our website.

For groups:

  • Fixed products.

https://en.mbs-solutions.de/firmwareupdate-router

Acknowledgments

  • Adrien Rey from Cyber Defense Campus Zurich for reporting the vulnerability to the vendor.

References

Secret leak with wwwdnload.cgi (CVE-2025-41762)

impact

The backup contains multiple pieces of sensitive information that users should not have access to:

  1. It gains access to the list of web interface accounts and their hashed passwords (/ubr/config/user.cfg). He can then attempt to recover the password for this account using tools such as hashcat15 or johnTheRipper16. Once he recovers the password, he can then escalate privileges from guest to user/admin.

  2. It gets access to the BACnet/SC private key (/ubr/etc/certs/1_srvr- pkey.pem) and the HTTPS private key (/ubr/etc/certs/httpd.pem). It can then impersonate the device using these private keys.

Vulnerability Description

Obtaining a backup as a user allows access to sensitive information such as the web interface password hash of the admin account and certificate.

CWE:CWE-200:Exposure of Sensitive Information to an Unauthorized Actor

Product status

Known affected

ProductCVSS VectorCVSS Base ScoreFirmware UBR (32 MB)CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N3.5Firmware UBR (64 MB)CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N3.5

Fixed

  • Firmware UBR (32 MB) installed on UBR-01 Mk II

  • Firmware UBR (64 MB) installed on UBR-01 Mk II

  • Firmware UBR (32 MB) installed on UBR-02

  • Firmware UBR (64 MB) installed on UBR-02

  • Firmware UBR (32 MB) installed on UBR-LON

  • Firmware UBR (64 MB) installed on UBR-LON

Remediations

Vendor fix (November 5, 2025, 11:00 a.m.)

MBS GmbH has officially released a new UBR firmware version V6.0.1.0 that fixes the described vulnerability.

For more details, please check the release notes on our website.

For groups:

  • Fixed products.

https://en.mbs-solutions.de/firmwareupdate-router

Acknowledgments

  • Adrien Rey from Cyber Defense Campus Zurich for reporting the vulnerability to the vendor.

References

Unchecked role in wwwdnload.cgi (CVE-2025-41763)

impact

An adversary obtaining a backup file can gain access to multiple pieces of sensitive information. (see 2.6)

Vulnerability Description

When called, the wwwdnload.cgi endpoint only checked whether the session existed in its database, but not the role associated with it. A guest account could then download anything that a user/admin could by directly interacting with this endpoint, including backups and certificate requests.

CWE:CWE-269: Improper Privilege Management

Product status

Known affected

ProductCVSS VectorCVSS Base ScoreFirmware UBR (32 MB)CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N3.5Firmware UBR (64 MB)CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N3.5

Fixed

  • Firmware UBR (32 MB) installed on UBR-01 Mk II

  • Firmware UBR (64 MB) installed on UBR-01 Mk II

  • Firmware UBR (32 MB) installed on UBR-02

  • Firmware UBR (64 MB) installed on UBR-02

  • Firmware UBR (32 MB) installed on UBR-LON

  • Firmware UBR (64 MB) installed on UBR-LON

Remediations

Vendor fix (November 5, 2025, 11:00 a.m.)

MBS GmbH has officially released a new UBR firmware version V6.0.1.0 that fixes the described vulnerability.

For more details, please check the release notes on our website.

For groups:

  • Fixed products.

https://en.mbs-solutions.de/firmwareupdate-router

Acknowledgments

  • Adrien Rey from Cyber Defense Campus Zurich for reporting the vulnerability to the vendor.

References

Unchecked role in wwwupdate.cgi (CVE-2025-41764)

impact

An adversary having only a guest/user account can now push an update. He can leverage this by, for example, uploading a previous update with known vulnerability to exploit afterward.

Vulnerability Description

When called, the wwwupdate.cgi endpoint only checked whether the session existed in its database, but not the role associated with it. A guest/user account could then push any update.

CWE:CWE-269: Improper Privilege Management

Product status

Known affected

ProductCVSS VectorCVSS Base ScoreFirmware UBR (32 MB)CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H8Firmware UBR (64 MB)CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H8

Fixed

  • Firmware UBR (32 MB) installed on UBR-01 Mk II

  • Firmware UBR (64 MB) installed on UBR-01 Mk II

  • Firmware UBR (32 MB) installed on UBR-02

  • Firmware UBR (64 MB) installed on UBR-02

  • Firmware UBR (32 MB) installed on UBR-LON

  • Firmware UBR (64 MB) installed on UBR-LON

Remediations

Vendor fix (November 5, 2025, 11:00 a.m.)

MBS GmbH has officially released a new UBR firmware version V6.0.1.0 that fixes the described vulnerability.

For more details, please check the release notes on our website.

For groups:

  • Fixed products.

https://en.mbs-solutions.de/firmwareupdate-router

Acknowledgments

  • Adrien Rey from Cyber Defense Campus Zurich for reporting the vulnerability to the vendor.

References

Unchecked role in wwwupload.cgi (CVE-2025-41765)

impact

An adversary can upload every file a user/admin can. By chance, many of these uploaded files need a call to wwwubr.cgi to take effect and are only stored in /tmp. However, an attacker can still deface the web interface by uploading fake contact photos. He can also leverage other known vulnerabilities on wwwupload.cgi (4.1.17), having access to only a guest account instead of a user one.

Vulnerability Description

When called, the wwwupload.cgi endpoint only checked whether the session existed in its database, but not the role associated with it. A guest account could then upload anything that a user/admin could by directly interacting with this endpoint, including: a contact image, certificate for https, a backup to restore, server peer, BACnet/SC server certificate, BACnet/SC server key.

CWE:CWE-269: Improper Privilege Management

Product status

Known affected

ProductCVSS VectorCVSS Base ScoreFirmware UBR (32 MB)CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N3.5Firmware UBR (64 MB)CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N3.5

Fixed

  • Firmware UBR (32 MB) installed on UBR-01 Mk II

  • Firmware UBR (64 MB) installed on UBR-01 Mk II

  • Firmware UBR (32 MB) installed on UBR-02

  • Firmware UBR (64 MB) installed on UBR-02

  • Firmware UBR (32 MB) installed on UBR-LON

  • Firmware UBR (64 MB) installed on UBR-LON

Remediations

Vendor fix (November 5, 2025, 11:00 a.m.)

MBS GmbH has officially released a new UBR firmware version V6.0.1.0 that fixes the described vulnerability.

For more details, please check the release notes on our website.

For groups:

  • Fixed products.

https://en.mbs-solutions.de/firmwareupdate-router

Acknowledgments

  • Adrien Rey from Cyber Defense Campus Zurich for reporting the vulnerability to the vendor.

References

Stack buffer overflow when parsing web requests (CVE-2025-41766)

impact

By sending a specially crafted HTTP POST request, an attacker can overwrite a stack buffer, hijack the execution flow, and execute their own code.

The attacker needs a valid login or session token for either user user or admin.

Vulnerability Description

While parsing the request data of the "method": "ubr-network", the code parses the user-controlled JSON array routingItems and, for each element, builds a small string (str, max 63 bytes) and then unconditionally concatenates it into a large but fixed-size stack buffer of size 0x8001 bytes. This leads to a stack buffer overflow, allowing an attacker to overwrite the return address and ultimately allowing the hijacking of the execution flow.

CWE:CWE-787:Out-of-bounds Write

Product status

Known affected

ProductCVSS VectorCVSS Base ScoreFirmware UBR (32 MB)CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H7.1Firmware UBR (64 MB)CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H7.1

Fixed

  • Firmware UBR (32 MB) installed on UBR-01 Mk II

  • Firmware UBR (64 MB) installed on UBR-01 Mk II

  • Firmware UBR (32 MB) installed on UBR-02

  • Firmware UBR (64 MB) installed on UBR-02

  • Firmware UBR (32 MB) installed on UBR-LON

  • Firmware UBR (64 MB) installed on UBR-LON

Remediations

Vendor fix (November 5, 2025, 11:00 a.m.)

MBS GmbH has officially released a new UBR firmware version V6.0.1.0 that fixes the described vulnerability.

For groups:

  • Fixed products.

https://en.mbs-solutions.de/firmwareupdate-router

Acknowledgments

  • Daniel Hulliger from Cyber Defence Campus Zurich for reporting the vulnerability to the vendor.

References

Signature bypass on update upload (CVE-2025-41767)

impact

By exploiting a vulnerability that bypasses update signatures, an attacker can completely compromise the device. This includes executing code as root and/or changing any system files. The attacker needs an admin user on the web interface, either by stealing a password or a session token. Session tokens on this device have no expiration date!

The vulnerability described in CVE-2025-41772 further amplifies the risk of stolen session tokens!

Vulnerability Description

The Universal-BACnet Router UBR-01 is vulnerable to a update signature bypass vulnerability. This allows an administrator or attacker with admin credentials or a stolen admin session key to execute code using an untrusted system update and gain full persistent root access on the device. When uploading an update, the HTTP request is handled by wwwupdate.cgi. The cgi program takes the filename parameter, performs some sanitization to prevent path traversal attacks and verifies correct filename endings, but then uses the resulting filename without further verification as a parameter to execute the gpg program. By using a filename such as "-h f.upd," we can bypass not only the required steps to reach the PAppSpawn function, but also ensure that the resulting error code is 0. This is important because otherwise the update file will be deleted. This allows us to upload a non-signed or invalidly signed .upd file to the /updates/ folder.

CWE:CWE-347: Improper Verification of Cryptographic Signature

Product status

Known affected

ProductCVSS VectorCVSS Base ScoreFirmware UBR (32 MB)CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H8.8Firmware UBR (64 MB)CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H8.8

Fixed

  • Firmware UBR (32 MB) installed on UBR-01 Mk II

  • Firmware UBR (64 MB) installed on UBR-01 Mk II

  • Firmware UBR (32 MB) installed on UBR-02

  • Firmware UBR (64 MB) installed on UBR-02

  • Firmware UBR (32 MB) installed on UBR-LON

  • Firmware UBR (64 MB) installed on UBR-LON

Remediations

Vendor fix (November 5, 2025, 11:00 a.m.)

MBS GmbH has officially released a new UBR firmware version V6.0.1.0 that fixes the described vulnerability.

For groups:

  • Fixed products.

https://en.mbs-solutions.de/firmwareupdate-router

Acknowledgments

  • Daniel Hulliger and Damian Pfammatter from Cyber Defence Campus Zurich for reporting the vulnerability to the vendor.

References

wwwupdate.cgi session token in URL (CVE-2025-41772)

impact

Placing session tokens in the URL increases the risk that they will be captured by an attacker.

Vulnerability Description

Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked, or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed.

CWE:CWE-598:Use of GET Request Method With Sensitive Query Strings

Product status

Known affected

ProductCVSS VectorCVSS Base ScoreFirmware UBR (32 MB)CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L6.8Firmware UBR (64 MB)CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L6.8

Fixed

  • Firmware UBR (32 MB) installed on UBR-01 Mk II

  • Firmware UBR (64 MB) installed on UBR-01 Mk II

  • Firmware UBR (32 MB) installed on UBR-02

  • Firmware UBR (64 MB) installed on UBR-02

  • Firmware UBR (32 MB) installed on UBR-LON

  • Firmware UBR (64 MB) installed on UBR-LON

Remediations

Vendor fix (November 5, 2025, 11:00 a.m.)

MBS GmbH has officially released a new UBR firmware version V6.0.1.0 that fixes the described vulnerability.

For groups:

  • Fixed products.

https://en.mbs-solutions.de/firmwareupdate-router

Acknowledgments

  • Daniel Hulliger and Damian Pfammatter from Cyber Defense Campus Zurich for reporting the vulnerability to the vendor.

References

Acknowledgments

MBS GmbH would like to thank the following parties for their efforts:

  • Adrien Rey from Cyber Defense Campus Zurich for reporting several vulnerabilities to the vendor.

  • Daniel Hulliger from Armasuisse for reporting the vulnerability to the vendor.

LICENSE

csaf creator

#{[TODO][SHOULD][REMOVE]}# Link to repository: CERT@VDE CSAF Template © 2025 by CERT@VDE is licensed under CC BY-NC 4.0

This document note may only be removed in order to create a CSAF advisory based on this template.

MBS GmbH

Namespace: https://en.mbs-solutions.de

Phone: +49 2151 7294-0 | Email: info@mbs-solutions.de

MBS GmbH is responsible for fixing any vulnerabilities related to MBS' products or services.

References

Revision history

VersionDate of the revisionSummary of the revision1.0.02025-11-28T11:00:00.000ZInitial creation of the document in draft form.1.0.12025-12-17T13:00:00.000ZAddition of vulnerabilities

Sharing rules

TLP:WHITE
For the TLP version, see: https://www.first.org/tlp/

Disclaimer

MBS GmbH | Römerstraße 15 | 47809 Krefeld Managing Directors: Gerhard Memmen-Krüger, Melanie Loy, Nils-Gunnar Fritz Register court Krefeld HRB 3337 VAT ID: DE 120 148 529

Information obligation pursuant to Art. 13 GDPR