Universal Bacnet Router Firmware
CVE-2025-41767
HIGH
Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
A high-privileged remote attacker can fully compromise the device by abusing an update signature bypass vulnerability in the wwwupdate.cgi method in the web interface of UBR.
AnalysisAI
Universal Bacnet Router Firmware is affected by improper verification of cryptographic signature (CVSS 7.2).
Technical ContextAI
This vulnerability (CWE-347: Improper Verification of Cryptographic Signature) exists in the wwwupdate.cgi method in the web component. A high-privileged remote attacker can fully compromise the device by abusing an update signature bypass vulnerability in the wwwupdate.cgi method in the web interface of UBR.
RemediationAI
Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.
Unauthorized firmware upload via wwwupdate.cgi endpoint due to insufficient authorization. Remote attackers can upload a
Unauthorized file upload via wwwupload.cgi endpoint. Same product as CVE-2025-41764 — second unauthorized upload vector.
A low-privileged remote attacker can abuse the backup restore functionality of UBR (ubr-restore) which runs with elevate
A low-privileged remote attacker can exploit an arbitrary file write vulnerability in the wwupload.cgi endpoint. Due to
A low-privileged remote attacker can trigger a stack-based buffer overflow via a crafted HTTP POST request using the ubr
A low-privileged remote attacker can exploit the ubr-editfile method in wwwubr.cgi, an undocumented and unused API endpo
A low‑privileged local attacker who gains access to the UBR service account (e.g., via SSH) can escalate privileges to o
An unauthenticated remote attacker can obtain valid session tokens because they are exposed in plaintext within the URL
A low-privileged remote attacker can exploit the ubr-logread method in wwwubr.cgi to read arbitrary files on the system.
A low-privileged remote attacker can exploit the ubr-editfile method in wwwubr.cgi, an undocumented and unused API endpo
A low‑privileged remote attacker can directly interact with the wwwdnload.cgi endpoint to download any resource availabl
An unauthenticated attacker can abuse the weak hash of the backup generated by the wwwdnload.cgi endpoint to gain unauth
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today