Universal Bacnet Router Firmware
CVE-2025-41764
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Due to insufficient authorization enforcement, an unauthorized remote attacker can exploit the wwwupdate.cgi endpoint to upload and apply arbitrary updates.
AnalysisAI
Unauthorized firmware upload via wwwupdate.cgi endpoint due to insufficient authorization. Remote attackers can upload and apply arbitrary firmware updates.
Technical ContextAI
CWE-862 missing authorization on firmware update endpoint. Attackers can push arbitrary firmware.
RemediationAI
Apply vendor patch. Restrict management access.
Unauthorized file upload via wwwupload.cgi endpoint. Same product as CVE-2025-41764 — second unauthorized upload vector.
A low-privileged remote attacker can abuse the backup restore functionality of UBR (ubr-restore) which runs with elevate
A low-privileged remote attacker can exploit an arbitrary file write vulnerability in the wwupload.cgi endpoint. Due to
A low-privileged remote attacker can trigger a stack-based buffer overflow via a crafted HTTP POST request using the ubr
A low-privileged remote attacker can exploit the ubr-editfile method in wwwubr.cgi, an undocumented and unused API endpo
A low‑privileged local attacker who gains access to the UBR service account (e.g., via SSH) can escalate privileges to o
An unauthenticated remote attacker can obtain valid session tokens because they are exposed in plaintext within the URL
Universal Bacnet Router Firmware is affected by improper verification of cryptographic signature (CVSS 7.2).
A low-privileged remote attacker can exploit the ubr-logread method in wwwubr.cgi to read arbitrary files on the system.
A low-privileged remote attacker can exploit the ubr-editfile method in wwwubr.cgi, an undocumented and unused API endpo
A low‑privileged remote attacker can directly interact with the wwwdnload.cgi endpoint to download any resource availabl
An unauthenticated attacker can abuse the weak hash of the backup generated by the wwwdnload.cgi endpoint to gain unauth
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today