Universal Bacnet Router Firmware
CVE-2025-41765
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Due to insufficient authorization enforcement, an unauthorized remote attacker can exploit the wwwupload.cgi endpoint to upload and apply arbitrary data. This includes, but is not limited to, contact images, HTTPS certificates, system backups for restoration, server peer configurations, and BACnet/SC server certificates and keys.
AnalysisAI
Unauthorized file upload via wwwupload.cgi endpoint. Same product as CVE-2025-41764 — second unauthorized upload vector.
Technical ContextAI
CWE-862 missing authorization on file upload. Complements firmware upload vulnerability.
RemediationAI
Apply vendor patch.
Unauthorized firmware upload via wwwupdate.cgi endpoint due to insufficient authorization. Remote attackers can upload a
A low-privileged remote attacker can abuse the backup restore functionality of UBR (ubr-restore) which runs with elevate
A low-privileged remote attacker can exploit an arbitrary file write vulnerability in the wwupload.cgi endpoint. Due to
A low-privileged remote attacker can trigger a stack-based buffer overflow via a crafted HTTP POST request using the ubr
A low-privileged remote attacker can exploit the ubr-editfile method in wwwubr.cgi, an undocumented and unused API endpo
A low‑privileged local attacker who gains access to the UBR service account (e.g., via SSH) can escalate privileges to o
An unauthenticated remote attacker can obtain valid session tokens because they are exposed in plaintext within the URL
Universal Bacnet Router Firmware is affected by improper verification of cryptographic signature (CVSS 7.2).
A low-privileged remote attacker can exploit the ubr-logread method in wwwubr.cgi to read arbitrary files on the system.
A low-privileged remote attacker can exploit the ubr-editfile method in wwwubr.cgi, an undocumented and unused API endpo
A low‑privileged remote attacker can directly interact with the wwwdnload.cgi endpoint to download any resource availabl
An unauthenticated attacker can abuse the weak hash of the backup generated by the wwwdnload.cgi endpoint to gain unauth
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today