Skip to main content

Garmin WDU CVE-2025-27852

| EUVDEUVD-2025-209830 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-05-13 mitre GHSA-qcwv-872h-7hpj
5.0
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.0 MEDIUM
AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Analysis Generated
May 14, 2026 - 13:23 vuln.today
CVSS changed
May 14, 2026 - 13:22 NVD
5.0 (MEDIUM)
CVE Published
May 13, 2026 - 00:00 nvd
UNKNOWN (no severity yet)
CVE Published
May 13, 2026 - 00:00 nvd
MEDIUM 5.0

DescriptionCVE.org

The locally served web site on the Garmin WDU (v1 1.4.6 and v2 5.0) allows a reflected cross site scripting (XSS) attack. This allows an attacker on the local network segment to execute arbitrary JavaScript code within the context of the WDU webpage. Full administrator level access to the device is possible. To initiate an exploit of this vulnerability, the victim must execute two actions: (1) view a specific URL served by the WDU, and (2) click an element on the rendered page.

AnalysisAI

Reflected cross-site scripting (XSS) in Garmin WDU v1 1.4.6 and v2 5.0 allows local network attackers to execute arbitrary JavaScript with full administrator-level access to the device. Exploitation requires the victim to visit a malicious URL and click an element on the rendered page, making this a moderate-risk vulnerability primarily affecting users on trusted networks who may be socially engineered.

Technical ContextAI

The Garmin WDU (Wearable Device Updater) is a locally served web application that fails to properly sanitize user-supplied input in URL parameters before reflecting it back in HTML responses. This is a classic reflected XSS vulnerability (CWE-79) where an attacker can craft a malicious URL containing JavaScript payload that executes in the victim's browser within the security context of the WDU web application. Because the WDU runs locally with administrative privileges and manages wearable device updates, successful XSS exploitation grants the attacker the same privileges as the authenticated administrator viewing the page.

RemediationAI

Upgrade Garmin WDU to a patched version released after v1 1.4.6 and v2 5.0 - consult Garmin support page https://www8.garmin.com/support/ch.jsp?product=010-02642-00 for the exact fixed version. If a patch is unavailable, implement network-level compensating controls: restrict WDU web interface access to trusted administrative users only via firewall rules (block TCP ports used by WDU from untrusted network segments), disable remote access to the WDU web server if not required, and educate users to avoid clicking links from untrusted sources that reference local WDU URLs. Note that these controls do not eliminate the vulnerability but reduce the attack surface to intentional social engineering rather than opportunistic exploitation.

Share

CVE-2025-27852 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy