Skip to main content

Garmin WDU CVE-2025-27853

| EUVDEUVD-2025-209831 HIGH
Missing Authentication for Critical Function (CWE-306)
2026-05-13 mitre GHSA-cvgr-crrw-gcqx
7.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.3 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Generated
May 14, 2026 - 16:22 vuln.today
CVSS changed
May 14, 2026 - 16:22 NVD
7.3 (HIGH)
CVE Published
May 13, 2026 - 00:00 nvd
HIGH 7.3
CVE Published
May 13, 2026 - 00:00 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

The locally served web site on the Garmin WDU (v1 1.4.6 and v2 5.0) allows its authentication to be bypassed. The WDU web site only performs authentication with the client within the client's browser. The WebSockets used to communicate with the WDU server do not enforce any authentication. An attacker may bypass all authentication mechanisms by directly utilizing the remote APIs available on the websocket.

AnalysisAI

Authentication bypass in Garmin WDU v1 1.4.6 and v2 5.0 allows remote unauthenticated attackers to execute arbitrary commands via WebSocket API. The web interface implements client-side-only authentication while the WebSocket backend enforces no authentication, enabling complete bypass by directly accessing remote APIs. With CVSS 7.3 (AV:N/AC:L/PR:N) but only 0.03% EPSS probability, this represents a critical design flaw in deployed devices rather than actively exploited widespread threat. No public exploit identified at time of analysis.

Technical ContextAI

The Garmin WDU (Wireless Display Unit) is a marine navigation display device with a locally-hosted web management interface. The vulnerability stems from CWE-306 (Missing Authentication for Critical Function), where authentication is implemented solely in client-side JavaScript rather than enforced server-side. The architecture uses WebSockets for client-server communication, a bidirectional protocol commonly used for real-time control interfaces. In this flawed design, the web UI performs credential checks in the browser, but the WebSocket endpoints that actually execute administrative commands have no corresponding server-side authentication layer. This architectural failure allows attackers to bypass the entire authentication flow by crafting direct WebSocket messages to the device's control APIs, completely circumventing the browser-based credential check. Affected products include Garmin WDU v1 (version 1.4.6) and WDU v2 (version 5.0), marine-grade wireless display units typically deployed on boats and ships.

RemediationAI

Contact Garmin support via https://www8.garmin.com/support/ch.jsp?product=010-02642-00 to obtain firmware updates addressing authentication bypass. No specific patched firmware version is identified in available data, requiring vendor confirmation of fix availability. Until patching, implement network-level access controls: restrict WDU web interface access to trusted management VLANs only, disable remote access to device management ports, and monitor network traffic for unauthorized WebSocket connections to WDU IP addresses. For vessels requiring remote monitoring, place WDU devices behind VPN with multi-factor authentication rather than exposing directly to internet or marina networks. Firewall rules should block TCP ports used by WDU web service (typically 80/443) from untrusted networks. Note that disabling the web interface entirely may impact legitimate remote diagnostics and configuration workflows, requiring assessment of operational requirements versus security posture.

Share

CVE-2025-27853 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy