CVE-2025-41758

Arbitrary Write with wwwupload.cgi

CVSS 8.8 HIGHEPSS 0.5%CWE-22

In short

A vulnerability in wwwupload.cgi allows an attacker to write files anywhere on the system by using path traversal tricks, potentially taking complete control of the device.

Technical detail

The wwwupload.cgi endpoint fails to properly validate file paths, enabling a low-privileged remote attacker to perform arbitrary file write operations via path traversal (CWE-22). This can result in overwriting critical system files and achieving remote code execution or full system compromise.

Summary generated and translated by AI from the official description.

A low-privileged remote attacker can exploit an arbitrary file write vulnerability in the wwupload.cgi endpoint. Due to path traversal this can lead to overwriting arbitrary files on the device and achieving a full system compromise.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected products

MBS · UBR-01 Mk II MBS · UBR-02 MBS · UBR-LON

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://www.mbs-solutions.de/mbs-2025-0001