Skip to main content

Garmin WDU EUVDEUVD-2025-209828

| CVE-2025-27850 HIGH
Improper Link Resolution Before File Access (CWE-59)
2026-05-13 mitre GHSA-rp9w-778v-4h8m
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Analysis Generated
May 14, 2026 - 16:22 vuln.today
CVSS changed
May 14, 2026 - 16:22 NVD
7.5 (HIGH)
CVE Published
May 13, 2026 - 00:00 nvd
HIGH 7.5
CVE Published
May 13, 2026 - 00:00 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

The locally served web site on the Garmin WDU (v1 1.4.6 and v2 5.0) allows a symlink attack. If a malicious graphics package containing symlinks is uploaded, the web server follows the supplied links when serving content. No mechanisms to restrict those link targets to a specific area of the filesystem is enabled. This allows an attacker to retrieve arbitrary files from the device.

AnalysisAI

Arbitrary file read on Garmin WDU v1 1.4.6 and v2 5.0 allows remote unauthenticated attackers to retrieve sensitive files from the device filesystem via symlink injection in uploaded graphics packages. The locally-served web server follows symlinks without filesystem restriction, enabling information disclosure. EPSS score of 0.02% (5th percentile) indicates low widespread exploitation probability. No public exploit or CISA KEV listing identified at time of analysis.

Technical ContextAI

CWE-59 represents improper link resolution before file access ('Link Following'). The Garmin WDU (Wireless Display Unit) exposes a web server that processes uploaded graphics packages. The server lacks symlink traversal protections and does not restrict link target resolution to a designated safe directory (no chroot jail, path validation, or filesystem access controls). When an attacker uploads a malicious graphics package containing symbolic links pointing to arbitrary filesystem locations (/etc/passwd, configuration files, keys), the web server dereferences and serves those target files. This vulnerability class (symlink attacks) was particularly common in legacy web applications and device management interfaces that trust user-supplied archive content without validation. The CVSS vector AV:N/AC:L/PR:N/UI:N indicates network-accessible exploitation with no authentication barrier, though the impact is limited to confidentiality (C:H/I:N/A:N).

RemediationAI

Check with Garmin support (https://www8.garmin.com/support/ch.jsp?product=010-02642-00) for firmware updates addressing symlink traversal in the web server graphics upload handler. No specific patched version number is published in available references. Until a vendor patch is deployed, implement these compensating controls: Disable the graphics package upload feature via web interface administration settings if not operationally required (trade-off: loss of custom branding/display customization). Restrict network access to the WDU web server using firewall rules permitting only trusted management IPs (trade-off: complicates legitimate remote administration). Deploy network segmentation isolating WDU devices on dedicated VLANs unreachable from untrusted networks (trade-off: infrastructure complexity). Implement application-layer firewall or reverse proxy with strict file upload validation and symlink detection for organizations unable to disable upload functionality (trade-off: performance overhead, requires specialized configuration). Monitor web server access logs for unusual graphics package uploads or high-volume file read requests. Given the product's typical air-gapped deployment in cockpit systems, network isolation is the most practical short-term mitigation.

Share

EUVD-2025-209828 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy