Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
The locally served web site on the Garmin WDU (v1 1.4.6 and v2 5.0) allows a symlink attack. If a malicious graphics package containing symlinks is uploaded, the web server follows the supplied links when serving content. No mechanisms to restrict those link targets to a specific area of the filesystem is enabled. This allows an attacker to retrieve arbitrary files from the device.
AnalysisAI
Arbitrary file read on Garmin WDU v1 1.4.6 and v2 5.0 allows remote unauthenticated attackers to retrieve sensitive files from the device filesystem via symlink injection in uploaded graphics packages. The locally-served web server follows symlinks without filesystem restriction, enabling information disclosure. EPSS score of 0.02% (5th percentile) indicates low widespread exploitation probability. No public exploit or CISA KEV listing identified at time of analysis.
Technical ContextAI
CWE-59 represents improper link resolution before file access ('Link Following'). The Garmin WDU (Wireless Display Unit) exposes a web server that processes uploaded graphics packages. The server lacks symlink traversal protections and does not restrict link target resolution to a designated safe directory (no chroot jail, path validation, or filesystem access controls). When an attacker uploads a malicious graphics package containing symbolic links pointing to arbitrary filesystem locations (/etc/passwd, configuration files, keys), the web server dereferences and serves those target files. This vulnerability class (symlink attacks) was particularly common in legacy web applications and device management interfaces that trust user-supplied archive content without validation. The CVSS vector AV:N/AC:L/PR:N/UI:N indicates network-accessible exploitation with no authentication barrier, though the impact is limited to confidentiality (C:H/I:N/A:N).
RemediationAI
Check with Garmin support (https://www8.garmin.com/support/ch.jsp?product=010-02642-00) for firmware updates addressing symlink traversal in the web server graphics upload handler. No specific patched version number is published in available references. Until a vendor patch is deployed, implement these compensating controls: Disable the graphics package upload feature via web interface administration settings if not operationally required (trade-off: loss of custom branding/display customization). Restrict network access to the WDU web server using firewall rules permitting only trusted management IPs (trade-off: complicates legitimate remote administration). Deploy network segmentation isolating WDU devices on dedicated VLANs unreachable from untrusted networks (trade-off: infrastructure complexity). Implement application-layer firewall or reverse proxy with strict file upload validation and symlink detection for organizations unable to disable upload functionality (trade-off: performance overhead, requires specialized configuration). Monitor web server access logs for unusual graphics package uploads or high-volume file read requests. Given the product's typical air-gapped deployment in cockpit systems, network isolation is the most practical short-term mitigation.
Same weakness CWE-59 – Improper Link Resolution Before File Access
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-209828
GHSA-rp9w-778v-4h8m