MBS-2025-0001: Several security vulnerabilities in the UBR web GUI have been fixed
Publisher: MBS GmbHDocument category: csaf_security_advisoryInitial release date: 2025-11-28T11:00:00.000ZEngine: Secvisogram 2.5.41Current release date: 2025-11-28T11:00:00.000ZBuild Date: 2025-12-17T12:15:11.641ZCurrent version: 1.0.0Status: draftCVSSv3.1 Base Score: 8.8Severity: HighOriginal language: Language: en-USAlso referred to: #{[TODO][MUST]First alias must be VDE-ID, more aliases are optional}#${vde_id=VDE-0815-4711}$
Summary
Several vulnerabilities have been reported in the UBR firmware.
General Recommendation
Please install the new firmware version V6.0.1.0 for the UBR immediately.
Impact
// Describe overall (impact of) the vulnerabilities. //
Mitigation
Please install the new firmware version V6.0.1.0 for the UBR immediately.
Remediation
Please install the new firmware version V6.0.1.0 for the UBR immediately.
Product Description
The MBS Universal BACnet Routers serve to connect BACnet networks of different technologies. They support current BACnet revision 22, supporting BACnet/IP, BACnet Ethernet, BACnet MS/TP and BACnet/LonTalk.
The firmware version of the Universal BACnet Routers exists in two different versions e.g., 32 MB RAM | UBR-MICRO7 21.2.1 and 64 MB RAM | UBR-MICRO7 21.3.1
Product groups
Fixed products.
Firmware UBR (32 MB)
Firmware UBR (64 MB)
Vulnerabilities
Arbitrary Read with ubr-editfile (CVE-2025-41754)
Impact(operational management and system administrators)
An adversary having user account can read any file on the system. He can then among other things:
− Read /etc/shadow and try to recover the service password to ssh to the machine
− Read the web interface credentials in /ubr/config/user.cfg and try to recover their passwords
− Read the private key of the https server (/ubr/etc/certs/httpd.pem) or the BACnet/SC service(/ubr/etc/certs/1_srvr-pkey.pem).
Vulnerability Description(all)
The ubr-editfile method in wwwubr.cgi is an unused undocumented API endpoint, probably leftover from an old version, that allow arbitrary read on the complete file system.
CWE:CWE-863:Incorrect Authorization
Product status
Known affected
ProductCVSS-VectorCVSS Base ScoreFirmware UBR (32 MB)CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N6.5Firmware UBR (64 MB)CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N6.5
Fixed
Firmware UBR (32 MB) installed on UBR-01 Mk II
Firmware UBR (64 MB) installed on UBR-01 Mk II
Firmware UBR (32 MB) installed on UBR-02
Firmware UBR (64 MB) installed on UBR-02
Firmware UBR (32 MB) installed on UBR-LON
Firmware UBR (64 MB) installed on UBR-LON
Remediations
Vendor fix (2025-11-05T11:00:00.000Z)
MBS GmbH has officially released a new UBR firmware version V6.0.1.0 fixing the described vulnerability.
For more details please check the release notes on our website.
For groups:
Fixed products.
https://en.mbs-solutions.de/firmwareupdate-router
Acknowledgments
Adrien Rey from Cyber Defense Campus Zurich for reporting the vulnerability to the vendor.
References
Please find the CVE-ID in the release notes for UBR firmware version V6.0.1.0. (self) https://en.mbs-solutions.de/firmwareupdate-router
Arbitrary Read with ubr-logread (CVE-2025-41755)
Impact
An adversary having user account can read any file on the system. He can then among other things:
− Read /etc/shadow and try to recover the service password to ssh to the machine
− Read the web interface credentials in /ubr/config/user.cfg and try to recover their passwords
− Read the private key of the https server (/ubr/etc/certs/httpd.pem) or the BACnet/SC service(/ubr/etc/certs/1_srvr-pkey.pem).
Vulnerability Description
The ubr-logread method in wwwubr.cgi retrieve the content of a log file (/tmp/weblog{some_number}). Unfortunately, the logfile to open is given as parameter in the request and can then be change to an arbitrary file to retrieve.
CWE:CWE-20:Improper Input Validation
Product status
Known affected
ProductCVSS-VectorCVSS Base ScoreFirmware UBR (32 MB)CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N5.7Firmware UBR (64 MB)CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N5.7
Fixed
Firmware UBR (32 MB) installed on UBR-01 Mk II
Firmware UBR (64 MB) installed on UBR-01 Mk II
Firmware UBR (32 MB) installed on UBR-02
Firmware UBR (64 MB) installed on UBR-02
Firmware UBR (32 MB) installed on UBR-LON
Firmware UBR (64 MB) installed on UBR-LON
Remediations
Vendor fix (2025-11-05T11:00:00.000Z)
MBS GmbH has officially released a new UBR firmware version V6.0.1.0 fixing the described vulnerability.
For groups:
Fixed products.
https://en.mbs-solutions.de/firmwareupdate-router
Acknowledgments
Adrien Rey from Cyber Defense Campus Zurich for reporting the vulnerability to the vendor.
References
Please find the CVE-ID in the release notes for UBR firmware version V6.0.1.0. (self) https://en.mbs-solutions.de/firmwareupdate-router
Arbitrary Write with ubr-editfile (CVE-2025-41756)
Impact
The attacker has full control on the file system. It can:
− Overwrite any file
− Replace existing scripts with malicious ones that will eventually be run
− Change password with its own (web Interface and ssh one)
− Modify any configuration file (web, BACnet, ssh, network, ...)
− Open or remove network filters
− ...
Vulnerability Description
The ubr-editfile method in wwwubr.cgi is an unused undocumented API endpoint, probably leftover from an old version, that allow arbitrary write on the complete file system.
CWE:CWE-912:Hidden Functionality
Product status
Known affected
ProductCVSS-VectorCVSS Base ScoreFirmware UBR (32 MB)CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H8Firmware UBR (64 MB)CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H8
Fixed
Firmware UBR (32 MB) installed on UBR-01 Mk II
Firmware UBR (64 MB) installed on UBR-01 Mk II
Firmware UBR (32 MB) installed on UBR-02
Firmware UBR (64 MB) installed on UBR-02
Firmware UBR (32 MB) installed on UBR-LON
Firmware UBR (64 MB) installed on UBR-LON
Remediations
Vendor fix (2025-11-05T11:00:00.000Z)
MBS GmbH has officially released a new UBR firmware version V6.0.1.0 fixing the described vulnerability.
For more details please check the release notes on our website.
For groups:
Fixed products.
https://en.mbs-solutions.de/firmwareupdate-router
Acknowledgments
Adrien Rey from Cyber Defense Campus Zurich for reporting the vulnerability to the vendor.
References
Please find the CVE-ID in the release notes for UBR firmware version V6.0.1.0. (self) https://en.mbs-solutions.de/firmwareupdate-router
Arbitrary Write with ubr-restore (CVE-2025-41757)
Impact
The attacker has full control on the file system. It can:
− Overwrite any file
− Replace existing scripts with malicious one that will eventually be run
− Change password with its own (web Interface and ssh one)
− Modify any configuration file (web, BACnet, ssh, network, ...)
− Open or remove network filters
− ...
Vulnerability Description
Restoring a backup as user, do not check which file are contained in the backup archive. It is then possible to create a file anywhere on the system and to overwrite any existing files.
CWE:CWE-20:Improper Input Validation
Product status
Known affected
ProductCVSS-VectorCVSS Base ScoreFirmware UBR (32 MB)CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H7.1Firmware UBR (64 MB)CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H7.1
Fixed
Firmware UBR (32 MB) installed on UBR-01 Mk II
Firmware UBR (64 MB) installed on UBR-01 Mk II
Firmware UBR (32 MB) installed on UBR-02
Firmware UBR (64 MB) installed on UBR-02
Firmware UBR (32 MB) installed on UBR-LON
Firmware UBR (64 MB) installed on UBR-LON
Remediations
Vendor fix (2025-11-05T11:00:00.000Z)
MBS GmbH has officially released a new UBR firmware version V6.0.1.0 fixing the described vulnerability.
For more details please check the release notes on our website.
For groups:
Fixed products.
https://en.mbs-solutions.de/firmwareupdate-router
Acknowledgments
Adrien Rey from Cyber Defense Campus Zurich for reporting the vulnerability to the vendor.
References
Please find the CVE-ID in the release notes for UBR firmware version V6.0.1.0. (self) https://en.mbs-solutions.de/firmwareupdate-router
Arbitrary Write with wwwupload.cgi (CVE-2025-41758)
Impact
With the path traversal vulnerability an attacker has full control on the file system. It can:
− Overwrite any file
− Replace existing scripts with malicious one that will eventually be run
− Change password with its own (web Interface and ssh one)
− Modify any configuration file (web, BACnet, ssh, network, ...)
− Open or remove network filters
− ...
Vulnerability Description
This API can serve to upload pictures to the details tab. It has a file parameter that is normally either contact1.png or contact2.png (This is set by the JavaScript code of the webpage and not by the user). If this is the case the file is uploaded in /uxx/http/html/config. But it seems that an unused feature remains in the code (probably from an old version) and if the name is not one of the two (changed manually in the request parameter) the file will be upload in /ubr/config. This allows the attacker to overwrite any file in this folder. Furthermore, the code of wwupload seems to have some sanitization for "/" character. But instead of correctly sanitizing the path and cancelling the request, it will just upload the file in /uxx/httpd/html/config. This allows a path traversal, and it is then feasible to overwrite any file on the device.
CWE:CWE-20:Improper Input Validation
Product status
Known affected
ProductCVSS-VectorCVSS Base ScoreFirmware UBR (32 MB)CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H7.1Firmware UBR (64 MB)CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H7.1
Fixed
Firmware UBR (32 MB) installed on UBR-01 Mk II
Firmware UBR (64 MB) installed on UBR-01 Mk II
Firmware UBR (32 MB) installed on UBR-02
Firmware UBR (64 MB) installed on UBR-02
Firmware UBR (32 MB) installed on UBR-LON
Firmware UBR (64 MB) installed on UBR-LON
Remediations
Vendor fix (2025-11-05T11:00:00.000Z)
MBS GmbH has officially released a new UBR firmware version V6.0.1.0 fixing the described vulnerability.
For more details please check the release notes on our website.
For groups:
Fixed products.
https://en.mbs-solutions.de/firmwareupdate-router
Acknowledgments
Adrien Rey from Cyber Defense Campus Zurich for reporting the vulnerability to the vendor.
References
Please find the CVE-ID in the release notes for UBR firmware version V6.0.1.0. (self) https://en.mbs-solutions.de/firmwareupdate-router
Use of wildcard (“*” or “all”) in Block list (CVE-2025-41759)
Impact
This results in a situation where the intended block list is ineffective, the network remains accessible, even if for the installer point of view everything is blocked.
Vulnerability Description
An administrator might configure the block list using “” or “all” as network number to block all networks. In fact, the use of “” or “all” is not supported, but sadly do not raise any error to the administrator. When these are used, they are internally converted to network 0, which means no networks are blocked.
CWE:CWE-20:Improper Input Validation
Product status
Known affected
ProductCVSS-VectorCVSS Base ScoreFirmware UBR (32 MB)CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N5.7Firmware UBR (64 MB)CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N5.7
Fixed
Firmware UBR (32 MB) installed on UBR-01 Mk II
Firmware UBR (64 MB) installed on UBR-01 Mk II
Firmware UBR (32 MB) installed on UBR-02
Firmware UBR (64 MB) installed on UBR-02
Firmware UBR (32 MB) installed on UBR-LON
Firmware UBR (64 MB) installed on UBR-LON
Remediations
Vendor fix (2025-11-05T11:00:00.000Z)
MBS GmbH has officially released a new UBR firmware version V6.0.1.0 fixing the described vulnerability.
For more details please check the release notes on our website.
For groups:
Fixed products.
https://en.mbs-solutions.de/firmwareupdate-router
Acknowledgments
Adrien Rey from Cyber Defense Campus Zurich for reporting the vulnerability to the vendor.
References
Please find the CVE-ID in the release notes for UBR firmware version V6.0.1.0. (self) https://en.mbs-solutions.de/firmwareupdate-router
Pass filter with Empty Table (CVE-2025-41760)
Impact
This misconfiguration could lead to unauthorized access as the network traffic from every network is still allowed to pass through, even if for the installer point of view everything is blocked.
Vulnerability Description
The use of a Pass filter with an empty table is normally configured in the assumption that it would block all traffic, securing the system. In practice on this device, an empty pass list has no effect on network traffic, as it does not block any connections.
CWE:CWE-1059:Insufficient Technical Documentation
Product status
Known affected
ProductCVSS-VectorCVSS Base ScoreFirmware UBR (32 MB)CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N5.7Firmware UBR (64 MB)CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N5.7
Fixed
Firmware UBR (32 MB) installed on UBR-01 Mk II
Firmware UBR (64 MB) installed on UBR-01 Mk II
Firmware UBR (32 MB) installed on UBR-02
Firmware UBR (64 MB) installed on UBR-02
Firmware UBR (32 MB) installed on UBR-LON
Firmware UBR (64 MB) installed on UBR-LON
Remediations
Vendor fix (2025-11-05T11:00:00.000Z)
MBS GmbH has officially released a new UBR firmware version V6.0.1.0 fixing the described vulnerability.
For more details please check the release notes on our website.
For groups:
Fixed products.
https://en.mbs-solutions.de/firmwareupdate-router
Acknowledgments
Adrien Rey from Cyber Defense Campus Zurich for reporting the vulnerability to the vendor.
References
Please find the CVE-ID in the release notes for UBR firmware version V6.0.1.0. (self) https://en.mbs-solutions.de/firmwareupdate-router
Privilege escalation possible (CVE-2025-41761)
Impact
Attacker having access to the service account (for example by ssh) can leverage this to get full privileges on the machine.
Vulnerability Description
Privilege escalation refers to the process of gaining higher-level privileges, typically root access, allowing an attacker to perform unauthorized actions. When sudo is improperly configured to allow execution of certain binaries, it can be exploited by an attacker to escalate their access to higher privileges potentially compromising the entire system.
Upon the binaries that the service account is permitted to execute with sudo, two of them – tcpdump and ip – allow for privilege escalation.
CWE:CWE-269:Improper Privilege Management
Product status
Known affected
ProductCVSS-VectorCVSS Base ScoreFirmware UBR (32 MB)CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H8Firmware UBR (64 MB)CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H8
Fixed
Firmware UBR (32 MB) installed on UBR-01 Mk II
Firmware UBR (64 MB) installed on UBR-01 Mk II
Firmware UBR (32 MB) installed on UBR-02
Firmware UBR (64 MB) installed on UBR-02
Firmware UBR (32 MB) installed on UBR-LON
Firmware UBR (64 MB) installed on UBR-LON
Remediations
Vendor fix (2025-11-05T11:00:00.000Z)
MBS GmbH has officially released a new UBR firmware version V6.0.1.0 fixing the described vulnerability.
For more details please check the release notes on our website.
For groups:
Fixed products.
https://en.mbs-solutions.de/firmwareupdate-router
Acknowledgments
Adrien Rey from Cyber Defense Campus Zurich for reporting the vulnerability to the vendor.
References
Please find the CVE-ID in the release notes for UBR firmware version V6.0.1.0. (self) https://en.mbs-solutions.de/firmwareupdate-router
Secret leak with wwwdnload.cgi (CVE-2025-41762)
Impact
In the backup there is multiple sensible information that a user should not have access to:
It gets access to the list of the web interface account and their hashed passwords (/ubr/config/user.cfg). He can then try to recover the password of this account with tools like hashcat15 or johnTheRipper16. Once he recovers the password, he can then escalate privilege from guest to user/admin.
It gets access to the BACnet/SC private key (/ubr/etc/certs/1_srvr- pkey.pem) and the HTTPS private key (/ubr/etc/certs/httpd.pem). It can then impersonate the device using these private keys.
Vulnerability Description
Getting a backup as user let access to sensitive information such as web interface password hash of admin account and certificate.
CWE:CWE-200:Exposure of Sensitive Information to an Unauthorized Actor
Product status
Known affected
ProductCVSS-VectorCVSS Base ScoreFirmware UBR (32 MB)CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N3.5Firmware UBR (64 MB)CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N3.5
Fixed
Firmware UBR (32 MB) installed on UBR-01 Mk II
Firmware UBR (64 MB) installed on UBR-01 Mk II
Firmware UBR (32 MB) installed on UBR-02
Firmware UBR (64 MB) installed on UBR-02
Firmware UBR (32 MB) installed on UBR-LON
Firmware UBR (64 MB) installed on UBR-LON
Remediations
Vendor fix (2025-11-05T11:00:00.000Z)
MBS GmbH has officially released a new UBR firmware version V6.0.1.0 fixing the described vulnerability.
For more details please check the release notes on our website.
For groups:
Fixed products.
https://en.mbs-solutions.de/firmwareupdate-router
Acknowledgments
Adrien Rey from Cyber Defense Campus Zurich for reporting the vulnerability to the vendor.
References
Please find the CVE-ID in the release notes for UBR firmware version V6.0.1.0. (self) https://en.mbs-solutions.de/firmwareupdate-router
Unchecked role in wwwdnload.cgi (CVE-2025-41763)
Impact
An adversary getting a backup file get the hand on multiple sensible information. (see 2.6)
Vulnerability Description
When called the wwwdnload.cgi endpoint only checked if the session exists in its database but not the role associated with it. A guest account can then download anything that a user/admin can by directly interacting with this endpoint, this includes backup and certificate request.
CWE:CWE-269:Improper Privilege Management
Product status
Known affected
ProductCVSS-VectorCVSS Base ScoreFirmware UBR (32 MB)CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N3.5Firmware UBR (64 MB)CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N3.5
Fixed
Firmware UBR (32 MB) installed on UBR-01 Mk II
Firmware UBR (64 MB) installed on UBR-01 Mk II
Firmware UBR (32 MB) installed on UBR-02
Firmware UBR (64 MB) installed on UBR-02
Firmware UBR (32 MB) installed on UBR-LON
Firmware UBR (64 MB) installed on UBR-LON
Remediations
Vendor fix (2025-11-05T11:00:00.000Z)
MBS GmbH has officially released a new UBR firmware version V6.0.1.0 fixing the described vulnerability.
For more details please check the release notes on our website.
For groups:
Fixed products.
https://en.mbs-solutions.de/firmwareupdate-router
Acknowledgments
Adrien Rey from Cyber Defense Campus Zurich for reporting the vulnerability to the vendor.
References
Please find the CVE-ID in the release notes for UBR firmware version V6.0.1.0. (self) https://en.mbs-solutions.de/firmwareupdate-router
Unchecked role in wwwupdate.cgi (CVE-2025-41764)
Impact
An adversary having only a guest/user account can now push an update. He can leverage this by, for example, uploading a previous update with known vulnerability to exploit afterward.
Vulnerability Description
When called the wwwupdate.cgi endpoint only checked if the session exists in its database but not the role associated with it. A guest/user account can then push any update.
CWE:CWE-269:Improper Privilege Management
Product status
Known affected
ProductCVSS-VectorCVSS Base ScoreFirmware UBR (32 MB)CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H8Firmware UBR (64 MB)CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H8
Fixed
Firmware UBR (32 MB) installed on UBR-01 Mk II
Firmware UBR (64 MB) installed on UBR-01 Mk II
Firmware UBR (32 MB) installed on UBR-02
Firmware UBR (64 MB) installed on UBR-02
Firmware UBR (32 MB) installed on UBR-LON
Firmware UBR (64 MB) installed on UBR-LON
Remediations
Vendor fix (2025-11-05T11:00:00.000Z)
MBS GmbH has officially released a new UBR firmware version V6.0.1.0 fixing the described vulnerability.
For more details please check the release notes on our website.
For groups:
Fixed products.
https://en.mbs-solutions.de/firmwareupdate-router
Acknowledgments
Adrien Rey from Cyber Defense Campus Zurich for reporting the vulnerability to the vendor.
References
Please find the CVE-ID in the release notes for UBR firmware version V6.0.1.0. (self) https://en.mbs-solutions.de/firmwareupdate-router
Unchecked role in wwwupload.cgi (CVE-2025-41765)
Impact
An adversary can upload every file a user/admin can. By chance a lot of these uploaded files need a call to wwwubr.cgi to take effect and are only stored in /tmp. However, an attacker can still deface the web interface by uploading fake contact photo. He can also leverage other known vulnerabilities on wwwupload.cgi (4.1.17), having access to only a guest account instead of a user one.
Vulnerability Description
When called the wwwupload.cgi endpoint only checked if the session exists in its database but not the role associated with it. A guest account can then upload anything that a user/admin can by directly interacting with this endpoint, this includes: a contact image, certificate for https, a backup to restore, server peer, BACnet/SC server certificate, BACnet/SC server key.
CWE:CWE-269:Improper Privilege Management
Product status
Known affected
ProductCVSS-VectorCVSS Base ScoreFirmware UBR (32 MB)CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N3.5Firmware UBR (64 MB)CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N3.5
Fixed
Firmware UBR (32 MB) installed on UBR-01 Mk II
Firmware UBR (64 MB) installed on UBR-01 Mk II
Firmware UBR (32 MB) installed on UBR-02
Firmware UBR (64 MB) installed on UBR-02
Firmware UBR (32 MB) installed on UBR-LON
Firmware UBR (64 MB) installed on UBR-LON
Remediations
Vendor fix (2025-11-05T11:00:00.000Z)
MBS GmbH has officially released a new UBR firmware version V6.0.1.0 fixing the described vulnerability.
For more details please check the release notes on our website.
For groups:
Fixed products.
https://en.mbs-solutions.de/firmwareupdate-router
Acknowledgments
Adrien Rey from Cyber Defense Campus Zurich for reporting the vulnerability to the vendor.
References
Please find the CVE-ID in the release notes for UBR firmware version V6.0.1.0. (self) https://en.mbs-solutions.de/firmwareupdate-router
Stack buffer overflow on parsing web request (CVE-2025-41766)
Impact
By sending a specially crafted HTTP POST request an attacker can overwrite a stack buffer, hijack the execution flow and execute own code.
The attacker needs a valid login or session token for either user user or admin.
Vulnerability Description
While parsing the request data of the "method": "ubr-network" the code parses the user-controlled JSON array routingItems and, for each element, builds a small string (str, max 63 bytes) and then unconditionally strcats it into a large but fixed-size stack buffer of size 0x8001 bytes. This leads to a stack buffer overflow, allowing an attacker to overwrite the return address and ultimateley allowing the hijacking of the execution flow.
CWE:CWE-787:Out-of-bounds Write
Product status
Known affected
ProductCVSS-VectorCVSS Base ScoreFirmware UBR (32 MB)CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H7.1Firmware UBR (64 MB)CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H7.1
Fixed
Firmware UBR (32 MB) installed on UBR-01 Mk II
Firmware UBR (64 MB) installed on UBR-01 Mk II
Firmware UBR (32 MB) installed on UBR-02
Firmware UBR (64 MB) installed on UBR-02
Firmware UBR (32 MB) installed on UBR-LON
Firmware UBR (64 MB) installed on UBR-LON
Remediations
Vendor fix (2025-11-05T11:00:00.000Z)
MBS GmbH has officially released a new UBR firmware version V6.0.1.0 fixing the described vulnerability.
For groups:
Fixed products.
https://en.mbs-solutions.de/firmwareupdate-router
Acknowledgments
Daniel Hulliger from Cyber Defence Campus Zurich for reporting the vulnerability to the vendor.
References
Please find the CVE-ID in the release notes for UBR firmware version V6.0.1.0. (self) https://en.mbs-solutions.de/firmwareupdate-router
Signature bypass on update upload (CVE-2025-41767)
Impact
By abusing an update signature bypass vulnerability, an attacker is able to fully compromise the device. This includes executing code as root and/or change any system files. The attacker needs an admin user on the web interface, by either stealing a password or a session token. Session tokes on this device have no expiration date!
Vulnerability described in CVE-2025-41772 amplifies the risk of stolen session tokes further!
Vulnerability Description
The Universal-BACnet Router UBR-01 is vulnerable to a update signature bypass vulnerability. This allows an administrator or attacker with admin credentials or a stolen admin session key, to execute code using an untrusted system update and gain full persistent root access on the device. When uploading an update the http request ist handled by wwwupdate.cgi. The cgi program takes the filename parameter, does some sanitization preventing path traversal attacks and verifying correct filename endings, but then using the resulting filename without further verification as a parameter to execute the gpg program. By using a filename such as "-h f.upd" we can bypass not only the required steps to reach the PAppSpawn function, but also make sure, the resulting error code is 0. This is important, because otherwise the update file will be deleted. This allows us to upload a non or not valid signed .upd file to the folder /updates/
CWE:CWE-347:Improper Verification of Cryptographic Signature
Product status
Known affected
ProductCVSS-VectorCVSS Base ScoreFirmware UBR (32 MB)CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H8.8Firmware UBR (64 MB)CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H8.8
Fixed
Firmware UBR (32 MB) installed on UBR-01 Mk II
Firmware UBR (64 MB) installed on UBR-01 Mk II
Firmware UBR (32 MB) installed on UBR-02
Firmware UBR (64 MB) installed on UBR-02
Firmware UBR (32 MB) installed on UBR-LON
Firmware UBR (64 MB) installed on UBR-LON
Remediations
Vendor fix (2025-11-05T11:00:00.000Z)
MBS GmbH has officially released a new UBR firmware version V6.0.1.0 fixing the described vulnerability.
For groups:
Fixed products.
https://en.mbs-solutions.de/firmwareupdate-router
Acknowledgments
Daniel Hulliger, Damian Pfammatter from Cyber Defence Campus Zurich for reporting the vulnerability to the vendor.
References
Please find the CVE-ID in the release notes for UBR firmware version V6.0.1.0. (self) https://en.mbs-solutions.de/firmwareupdate-router
wwwupdate.cgi Session token in URL (CVE-2025-41772)
Impact
Placing session tokens into the URL increases the risk that they will be captured by an attacker.
Vulnerability Description
Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed.
CWE:CWE-598:Use of GET Request Method With Sensitive Query Strings
Product status
Known affected
ProductCVSS-VectorCVSS Base ScoreFirmware UBR (32 MB)CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L6.8Firmware UBR (64 MB)CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L6.8
Fixed
Firmware UBR (32 MB) installed on UBR-01 Mk II
Firmware UBR (64 MB) installed on UBR-01 Mk II
Firmware UBR (32 MB) installed on UBR-02
Firmware UBR (64 MB) installed on UBR-02
Firmware UBR (32 MB) installed on UBR-LON
Firmware UBR (64 MB) installed on UBR-LON
Remediations
Vendor fix (2025-11-05T11:00:00.000Z)
MBS GmbH has officially released a new UBR firmware version V6.0.1.0 fixing the described vulnerability.
For groups:
Fixed products.
https://en.mbs-solutions.de/firmwareupdate-router
Acknowledgments
Daniel Hulliger, Damian Pfammatter from Cyber Defense Campus Zurich for reporting the vulnerability to the vendor.
References
Please find the CVE-ID in the release notes for UBR firmware version V6.0.1.0. (self) https://en.mbs-solutions.de/firmwareupdate-router
Acknowledgments
MBS GmbH thanks the following parties for their efforts:
Adrien Rey from Cyber Defense Campus Zurich for reporting several vulnerabilities to the vendor.
Daniel Hulliger from Armasuisse for reporting the vulnerability to the vendor.
LICENSE
csaf creator
#{[TODO][SHOULD][REMOVE]}# Link to repository: CERT@VDE CSAF Template © 2025 by CERT@VDE is licensed under CC BY-NC 4.0
This document note may only be removed in order to create a CSAF advisory based on this template.
MBS GmbH
Namespace: https://en.mbs-solutions.de
Phone: +49 2151 7294-0 | Mail: info@mbs-solutions.de
MBS GmbH is responsible for fixing any vulnerabilities related to MBS' products or services.
References
Firmware Update | Router (external) https://en.mbs-solutions.de/firmwareupdate-router
Revision history
VersionDate of the revisionSummary of the revision1.0.02025-11-28T11:00:00.000ZInitial creation of the document in draft form.1.0.12025-12-17T13:00:00.000ZAddition of vulnerabilities
Sharing rules
TLP:WHITE
For the TLP version see: https://www.first.org/tlp/
Disclaimer
MBS GmbH | Römerstraße 15 | 47809 Krefeld Geschäftsführer: Gerhard Memmen-Krüger, Melanie Loy, Nils-Gunnar Fritz Registergericht Krefeld HRB 3337 USt.-ID: DE 120 148 529
Informationspflicht gemäß Art. 13 DSGVO
