CVE-2025-41760

Pass filter with Empty Table

CVSS 4.9 MEDIUMEPSS 0.3%CWE-636

In short

An administrator can create a security filter that they believe blocks all traffic, but instead it accidentally allows everything through. This happens because the system treats an empty filter list as 'no restrictions' instead of 'block everything'.

Technical detail

A pass filter configured with an empty table in UBR fails to enforce intended traffic restrictions due to improper handling of empty ruleset logic. The vulnerability requires administrative access to configure the filter, but results in complete bypass of the intended filtering policy, allowing unrestricted network traffic when a deny-all posture was intended.

Summary generated and translated by AI from the official description.

An administrator may attempt to block all traffic by configuring a pass filter with an empty table. However, in UBR, an empty list does not enforce any restrictions and allows all network traffic to pass unfiltered.

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Affected products

MBS · UBR-01 Mk II MBS · UBR-02 MBS · UBR-LON

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://www.mbs-solutions.de/mbs-2025-0001