CVE-2025-41764

Unchecked role in wwwupdate.cgi

CVSS 9.1 CRITICALEPSS 0.4%CWE-862

In short

A vulnerability in the wwwupdate.cgi file allows anyone on the internet to upload and install malicious software updates without proper permission checks. This is critical because attackers can completely take over the affected system.

Technical detail

CWE-862 (Missing Authorization) allows unauthenticated remote attackers to access the wwwupdate.cgi endpoint and upload arbitrary update packages due to insufficient authorization controls. The vulnerability enables unauthorized code execution with system privileges, resulting in complete system compromise.

Summary generated and translated by AI from the official description.

Due to insufficient authorization enforcement, an unauthorized remote attacker can exploit the wwwupdate.cgi endpoint to upload and apply arbitrary updates.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Affected products

MBS · UBR-01 Mk II MBS · UBR-02 MBS · UBR-LON

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://www.mbs-solutions.de/mbs-2025-0001