CVE-2025-41755 Overview
CVE-2025-41755 is a path traversal vulnerability affecting MBS Solutions Universal BACnet Router firmware. A low-privileged remote attacker can exploit the ubr-logread method in wwwubr.cgi to read arbitrary files on the system. The endpoint accepts a parameter specifying the log file to open (e.g., /tmp/weblog{some_number}), but this parameter is not properly validated, allowing an attacker to modify it to reference any file and retrieve its contents.
Critical Impact
Authenticated attackers can read sensitive system files including configuration data, credentials, and other confidential information stored on affected BACnet router devices.
Affected Products
- MBS Solutions Universal BACnet Router Firmware
- MBS Solutions UBR-01 MK II
- MBS Solutions UBR-02
- MBS Solutions UBR-LON
Discovery Timeline
- 2026-03-09 - CVE-2025-41755 published to NVD
- 2026-03-11 - Last updated in NVD database
Technical Details for CVE-2025-41755
Vulnerability Analysis
This vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), commonly known as path traversal or directory traversal. The flaw exists in the web management interface of MBS Solutions Universal BACnet Router devices, specifically within the wwwubr.cgi script's ubr-logread functionality.
The vulnerability allows authenticated remote attackers to bypass intended file access restrictions by manipulating the log file path parameter. While the endpoint is designed to read log files from specific locations like /tmp/weblog{number}, insufficient input validation enables attackers to use directory traversal sequences (such as ../) to escape the intended directory and access arbitrary files on the filesystem.
This represents a significant information disclosure risk, as attackers can potentially retrieve sensitive configuration files, stored credentials, network settings, and other confidential data from the affected devices. Given that BACnet routers are commonly deployed in building automation and industrial control systems, unauthorized access to such information could facilitate further attacks on critical infrastructure.
Root Cause
The root cause of CVE-2025-41755 is improper input validation in the ubr-logread method within wwwubr.cgi. The application accepts user-supplied input for specifying which log file to read but fails to sanitize or validate this input against path traversal sequences. The code does not properly restrict file access to the intended log directory, allowing attackers to traverse the directory structure and access files outside the expected path.
Attack Vector
The attack is conducted over the network against the web management interface of affected devices. An attacker with low-privilege credentials can send crafted HTTP requests to the wwwubr.cgi endpoint, manipulating the log file parameter to include directory traversal sequences. By modifying the expected log file path (e.g., /tmp/weblog1) to include traversal patterns, the attacker can reference and retrieve the contents of arbitrary files accessible to the web server process.
The attack requires network access to the device's web interface and valid low-privilege credentials, but no user interaction is needed once these prerequisites are met. The confidentiality impact is high as attackers can read sensitive system files.
Detection Methods for CVE-2025-41755
Indicators of Compromise
- HTTP requests to wwwubr.cgi containing ubr-logread method calls with unexpected path parameters
- Access log entries showing requests with directory traversal sequences (e.g., ../, ..%2f, %2e%2e/)
- Unusual file access patterns on affected devices, particularly reads of sensitive configuration files
- Authentication events followed by suspicious CGI requests from the same source
Detection Strategies
- Implement web application firewall (WAF) rules to detect and block path traversal patterns in HTTP requests
- Monitor HTTP access logs for requests to wwwubr.cgi containing suspicious path manipulation characters
- Deploy network intrusion detection signatures for BACnet router exploitation attempts
- Enable verbose logging on affected devices to capture and analyze CGI request parameters
Monitoring Recommendations
- Establish baseline network behavior for BACnet router management interfaces and alert on anomalies
- Monitor for unusual file read operations or access to sensitive system files on affected devices
- Implement network segmentation to isolate building automation systems and monitor cross-segment traffic
- Review authentication logs for brute force attempts or unauthorized access to device management interfaces
How to Mitigate CVE-2025-41755
Immediate Actions Required
- Apply firmware updates from MBS Solutions as soon as they become available
- Restrict network access to affected device management interfaces using firewalls or ACLs
- Review and audit user accounts with access to affected devices, removing unnecessary accounts
- Implement network segmentation to isolate vulnerable BACnet routers from untrusted networks
- Enable monitoring and logging for all access to affected device management interfaces
Patch Information
MBS Solutions has published a security advisory addressing this vulnerability. Organizations using affected Universal BACnet Router products should consult the MBS Solutions Security Advisory for specific firmware update instructions and availability.
Workarounds
- Disable or restrict access to the web management interface if not operationally required
- Implement strict network access controls limiting management interface access to authorized IP addresses only
- Deploy a reverse proxy or web application firewall in front of the management interface to filter malicious requests
- Use VPN connections for remote management access rather than exposing the interface directly to untrusted networks
# Example firewall rule to restrict management interface access
# Allow only specific management network to access web interface
iptables -A INPUT -p tcp --dport 80 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
# Alternative: Use network ACLs on upstream switch/router
# Permit only authorized management stations to device IP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
