CVE-2025-41762
Received
Received - Intake
Weak Hash Exposure in wwwdnload.cgi Enables Unauthorized Data Access
Publication date: 2026-03-09
Last updated on: 2026-03-11
Assigner: CERT VDE
Description
Description
An unauthenticated attacker can abuse the weak hash of the backup generated by the wwwdnload.cgi endpoint to gain unauthorized access to sensitive data, including password hashes and certificates.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mbs-solutions | universal_bacnet_router_firmware | to 6.0.1.0 (exc) |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-328 | The product uses an algorithm that produces a digest (output value) that does not meet security expectations for a hash function that allows an adversary to reasonably determine the original input (preimage attack), find another input that can produce the same hash (2nd preimage attack), or find multiple inputs that evaluate to the same hash (birthday attack). |
