CVE-2025-41756

Arbitrary Write with ubr-editfile

CVSS 8.1 HIGHEPSS 0.3%CWE-1242

In short

A remote attacker with low privileges can exploit a hidden API function to write any file on the server, potentially compromising the entire system.

Technical detail

The wwwubr.cgi endpoint exposes an undocumented ubr-editfile method that lacks proper access controls, allowing unauthenticated or low-privileged remote attackers to write arbitrary files to the filesystem. This CWE-1242 vulnerability bypasses intended security boundaries and can be leveraged for code execution or configuration tampering.

Summary generated and translated by AI from the official description.

A low-privileged remote attacker can exploit the ubr-editfile method in wwwubr.cgi, an undocumented and unused API endpoint to write arbitrary files on the system.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Affected products

MBS · UBR-01 Mk II MBS · UBR-02 MBS · UBR-LON

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://www.mbs-solutions.de/mbs-2025-0001