CVE-2025-41759

Use of wildcard (“*” or “all”) in Block list

CVSS 4.9 MEDIUMEPSS 0.3%CWE-636

In short

An administrator trying to block all networks by using a wildcard ("*" or "all") thinks the block worked, but the system silently ignores it and blocks nothing instead. This creates a false sense of security.

Technical detail

The application accepts wildcard values ("*" or "all") in network blocklists without validation, silently defaulting to network 0 instead of blocking all networks. An attacker with network access can exploit this misconfiguration if an administrator believes they have implemented a comprehensive network block policy.

Summary generated and translated by AI from the official description.

An administrator may attempt to block all networks by specifying "\*" or "all" as the network identifier. However, these values are not supported and do not trigger any validation error. Instead, they are silently interpreted as network 0 which results in no networks being blocked at all.

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Affected products

MBS · UBR-01 Mk II MBS · UBR-02 MBS · UBR-LON

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://www.mbs-solutions.de/mbs-2025-0001