Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
The locally served web site on the Garmin WDU (v1 1.4.6 and v2 5.0) allows its authentication to be bypassed. The WDU web site only performs authentication with the client within the client's browser. The WebSockets used to communicate with the WDU server do not enforce any authentication. An attacker may bypass all authentication mechanisms by directly utilizing the remote APIs available on the websocket.
AnalysisAI
Authentication bypass in Garmin WDU v1 1.4.6 and v2 5.0 allows remote unauthenticated attackers to execute arbitrary commands via WebSocket API. The web interface implements client-side-only authentication while the WebSocket backend enforces no authentication, enabling complete bypass by directly accessing remote APIs. With CVSS 7.3 (AV:N/AC:L/PR:N) but only 0.03% EPSS probability, this represents a critical design flaw in deployed devices rather than actively exploited widespread threat. No public exploit identified at time of analysis.
Technical ContextAI
The Garmin WDU (Wireless Display Unit) is a marine navigation display device with a locally-hosted web management interface. The vulnerability stems from CWE-306 (Missing Authentication for Critical Function), where authentication is implemented solely in client-side JavaScript rather than enforced server-side. The architecture uses WebSockets for client-server communication, a bidirectional protocol commonly used for real-time control interfaces. In this flawed design, the web UI performs credential checks in the browser, but the WebSocket endpoints that actually execute administrative commands have no corresponding server-side authentication layer. This architectural failure allows attackers to bypass the entire authentication flow by crafting direct WebSocket messages to the device's control APIs, completely circumventing the browser-based credential check. Affected products include Garmin WDU v1 (version 1.4.6) and WDU v2 (version 5.0), marine-grade wireless display units typically deployed on boats and ships.
RemediationAI
Contact Garmin support via https://www8.garmin.com/support/ch.jsp?product=010-02642-00 to obtain firmware updates addressing authentication bypass. No specific patched firmware version is identified in available data, requiring vendor confirmation of fix availability. Until patching, implement network-level access controls: restrict WDU web interface access to trusted management VLANs only, disable remote access to device management ports, and monitor network traffic for unauthorized WebSocket connections to WDU IP addresses. For vessels requiring remote monitoring, place WDU devices behind VPN with multi-factor authentication rather than exposing directly to internet or marina networks. Firewall rules should block TCP ports used by WDU web service (typically 80/443) from untrusted networks. Note that disabling the web interface entirely may impact legitimate remote diagnostics and configuration workflows, requiring assessment of operational requirements versus security posture.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-209831
GHSA-cvgr-crrw-gcqx