CVE-2025-41755
Arbitrary File Read via ubr-logread in wwwubr.cgi
Publication date: 2026-03-09
Last updated on: 2026-03-11
Assigner: CERT VDE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mbs-solutions | universal_bacnet_router_firmware | to 6.0.1.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2025-41755 is a security vulnerability in the MBS GmbH Universal BACnet Routers (UBR) firmware. It involves the `ubr-logread` method in the `wwwubr.cgi` web interface, which allows a low-privileged authenticated user to read arbitrary files on the device's filesystem."}, {'type': 'paragraph', 'content': 'The vulnerability arises because the endpoint accepts a parameter specifying which log file to read, originally intended to access files like `/tmp/weblog{some_number}`. However, this parameter is not properly validated, enabling an attacker to modify it to reference any file on the system and retrieve its contents.'}, {'type': 'paragraph', 'content': 'This improper input validation (CWE-20) allows an attacker to access sensitive files such as password files, web interface credentials, and private server keys.'}] [1]
How can this vulnerability impact me? :
This vulnerability can have serious impacts on the confidentiality of your system. An attacker with a user-level account can read sensitive files including:
- /etc/shadow, which contains password hashes and could allow password cracking and unauthorized SSH access.
- Web interface credentials stored in `/ubr/config/user.cfg`.
- Private HTTPS server keys located at `/ubr/etc/certs/httpd.pem`.
- BACnet/SC service private keys at `/ubr/etc/certs/1_srvr-pkey.pem`.
By compromising these files, an attacker could breach system confidentiality and potentially escalate their access or cause further system compromise.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by attempting to access the `ubr-logread` method in the `wwwubr.cgi` web interface with a manipulated log file parameter to read arbitrary files.'}, {'type': 'paragraph', 'content': 'For detection, you can try sending HTTP requests to the vulnerable endpoint with different file paths to see if arbitrary files can be read. For example, using curl commands to request sensitive files like `/etc/shadow` or configuration files.'}, {'type': 'list_item', 'content': 'curl -u <user>:<password> "http://<router-ip>/wwwubr.cgi?ubr-logread=/etc/shadow"'}, {'type': 'list_item', 'content': 'curl -u <user>:<password> "http://<router-ip>/wwwubr.cgi?ubr-logread=/ubr/config/user.cfg"'}, {'type': 'list_item', 'content': 'curl -u <user>:<password> "http://<router-ip>/wwwubr.cgi?ubr-logread=/ubr/etc/certs/httpd.pem"'}, {'type': 'paragraph', 'content': 'If the response contains the contents of these files, the system is vulnerable.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the firmware of the affected MBS Universal BACnet Routers to version V6.0.1.0 or later, which contains the fix for this vulnerability.
Until the firmware is updated, restrict access to the web interface to trusted users only, and monitor for any suspicious activity involving the `ubr-logread` endpoint.
Additionally, review and tighten user account privileges to minimize the risk of exploitation by low-privileged users.