CVE-2025-41762
Weak Hash Exposure in wwwdnload.cgi Enables Unauthorized Data Access
Publication date: 2026-03-09
Last updated on: 2026-03-11
Assigner: CERT VDE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mbs-solutions | universal_bacnet_router_firmware | to 6.0.1.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-328 | The product uses an algorithm that produces a digest (output value) that does not meet security expectations for a hash function that allows an adversary to reasonably determine the original input (preimage attack), find another input that can produce the same hash (2nd preimage attack), or find multiple inputs that evaluate to the same hash (birthday attack). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability allows an unauthenticated attacker to exploit a weak hash used in the backup generated by the wwwdnload.cgi endpoint. By abusing this weak hash, the attacker can gain unauthorized access to sensitive data such as password hashes and certificates.
How can this vulnerability impact me? :
The impact of this vulnerability is that an attacker could access sensitive information without authentication. This includes password hashes and certificates, which could lead to further compromise of systems or data if the attacker uses this information maliciously.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
I don't know