CVE-2025-41754: Universal BACnet Router Info Disclosure

CVE-2025-41754 Overview

CVE-2025-41754 is an arbitrary file read vulnerability in the MBS Solutions Universal BACnet Router (UBR) firmware. The flaw resides in the ubr-editfile method of wwwubr.cgi, an undocumented and unused API endpoint. A low-privileged remote attacker authenticated to the device can invoke this endpoint to read arbitrary files from the underlying system.

The vulnerability affects the UBR-01 MK II, UBR-02, and UBR-LON industrial gateways used to bridge BACnet networks in building automation environments. The weakness is classified under CWE-1242: Inclusion of Undocumented Features.

Critical Impact

Authenticated attackers can extract sensitive configuration files, credentials, and operational data from BACnet routers deployed in building automation systems.

Affected Products

• MBS Solutions Universal BACnet Router Firmware
• MBS Solutions UBR-01 MK II
• MBS Solutions UBR-02
• MBS Solutions UBR-LON

Discovery Timeline

• 2026-03-09 - CVE-2025-41754 published to NVD
• 2026-03-11 - Last updated in NVD database

Technical Details for CVE-2025-41754

Vulnerability Analysis

The vulnerability exists in wwwubr.cgi, the CGI handler that processes web-based management requests on the UBR firmware. The ubr-editfile method is an undocumented API endpoint that remains accessible despite being unused by the official management interface. Authenticated users with low privileges can invoke this method directly through crafted HTTP requests.

The endpoint accepts file path parameters and returns file contents without enforcing access restrictions tied to the requester's privilege level. This allows retrieval of operating system files, application configuration, and stored credentials. Because UBR devices typically run with elevated service accounts, the readable scope extends well beyond the user's intended boundaries.

Root Cause

The root cause is the presence of a hidden, undocumented feature ([CWE-1242]) that bypasses the access control model applied to documented endpoints. The ubr-editfile method was retained in production firmware without authorization checks proportional to its capability. The endpoint trusts authenticated sessions regardless of role, granting file-read access to any logged-in account.

Attack Vector

Exploitation requires network access to the device's management interface and valid low-privileged credentials. The attacker sends an HTTP request to wwwubr.cgi invoking the ubr-editfile method with a target file path. The CGI returns the file contents in the response body. No user interaction is required, and the attack does not impact integrity or availability of the device — only confidentiality of stored data.

The vulnerability mechanism follows the pattern of hidden administrative interfaces exposed through CGI handlers. See the MBS Solutions Security Advisory for vendor-specific technical details.

Detection Methods for CVE-2025-41754

Indicators of Compromise

• HTTP requests targeting wwwubr.cgi that include the ubr-editfile method parameter, particularly from accounts not associated with administrative workflows.
• Outbound traffic from UBR devices following authenticated sessions, suggesting credential or configuration exfiltration.
• Repeated authentication events from a single source followed by uncommon CGI invocations.

Detection Strategies

• Inspect web server and CGI access logs on UBR devices for any reference to the ubr-editfile method, which should not appear during normal operations.
• Baseline normal API usage patterns and alert on invocations of undocumented endpoints in wwwubr.cgi.
• Correlate low-privileged user sessions with file-read response sizes that exceed expected management traffic.

Monitoring Recommendations

• Forward UBR device logs to a centralized SIEM to enable retention and correlation across the OT environment.
• Monitor network segments hosting building automation controllers for anomalous HTTP traffic to management interfaces.
• Track account activity on UBR devices and flag low-privileged accounts performing administrative-style queries.

How to Mitigate CVE-2025-41754

Immediate Actions Required

• Apply the firmware update published in the MBS Solutions Security Advisory MBS-2025-0001.
• Restrict network access to UBR management interfaces using firewall rules that permit only trusted engineering workstations.
• Rotate credentials on UBR devices, especially for low-privileged accounts that may have been used to exercise the endpoint.
• Audit user accounts on affected devices and remove any that are no longer required.

Patch Information

MBS Solutions has released firmware updates addressing the vulnerability. Refer to advisory MBS-2025-0001 on the vendor site for affected firmware versions and the corresponding fixed releases. Update all UBR-01 MK II, UBR-02, and UBR-LON devices to the patched firmware version specified by the vendor.

Workarounds

• Place UBR devices behind a segmented OT network and block direct access from corporate or untrusted networks.
• Enforce VPN or jump-host access for any administrative interaction with UBR management interfaces.
• Disable or restrict accounts that do not require web management access until the firmware update is deployed.

# Example firewall rule restricting UBR management access to a trusted subnet
iptables -A INPUT -p tcp --dport 80 -s 10.10.50.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP