Severity by source
AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
The locally served web site on the Garmin WDU (v1 1.4.6 and v2 5.0) allows a reflected cross site scripting (XSS) attack. This allows an attacker on the local network segment to execute arbitrary JavaScript code within the context of the WDU webpage. Full administrator level access to the device is possible. To initiate an exploit of this vulnerability, the victim must execute two actions: (1) view a specific URL served by the WDU, and (2) click an element on the rendered page.
AnalysisAI
Reflected cross-site scripting (XSS) in Garmin WDU v1 1.4.6 and v2 5.0 allows local network attackers to execute arbitrary JavaScript with full administrator-level access to the device. Exploitation requires the victim to visit a malicious URL and click an element on the rendered page, making this a moderate-risk vulnerability primarily affecting users on trusted networks who may be socially engineered.
Technical ContextAI
The Garmin WDU (Wearable Device Updater) is a locally served web application that fails to properly sanitize user-supplied input in URL parameters before reflecting it back in HTML responses. This is a classic reflected XSS vulnerability (CWE-79) where an attacker can craft a malicious URL containing JavaScript payload that executes in the victim's browser within the security context of the WDU web application. Because the WDU runs locally with administrative privileges and manages wearable device updates, successful XSS exploitation grants the attacker the same privileges as the authenticated administrator viewing the page.
RemediationAI
Upgrade Garmin WDU to a patched version released after v1 1.4.6 and v2 5.0 - consult Garmin support page https://www8.garmin.com/support/ch.jsp?product=010-02642-00 for the exact fixed version. If a patch is unavailable, implement network-level compensating controls: restrict WDU web interface access to trusted administrative users only via firewall rules (block TCP ports used by WDU from untrusted network segments), disable remote access to the WDU web server if not required, and educate users to avoid clicking links from untrusted sources that reference local WDU URLs. Note that these controls do not eliminate the vulnerability but reduce the attack surface to intentional social engineering rather than opportunistic exploitation.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-209830
GHSA-qcwv-872h-7hpj