CVE-2025-41757 Overview
CVE-2025-41757 is a path traversal vulnerability affecting MBS Solutions Universal BACnet Router firmware. A low-privileged remote attacker can abuse the backup restore functionality of UBR (ubr-restore) which runs with elevated privileges and does not validate the contents of the backup archive to create or overwrite arbitrary files anywhere on the system.
Critical Impact
Remote attackers with low-level access can achieve arbitrary file write with elevated privileges, potentially leading to full system compromise of building automation network infrastructure.
Affected Products
- MBS Solutions Universal BACnet Router Firmware
- MBS Solutions UBR-01 MK II
- MBS Solutions UBR-02
- MBS Solutions UBR-LON
Discovery Timeline
- 2026-03-09 - CVE-2025-41757 published to NVD
- 2026-03-11 - Last updated in NVD database
Technical Details for CVE-2025-41757
Vulnerability Analysis
This vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), commonly known as Path Traversal. The ubr-restore backup restoration utility operates with elevated system privileges but fails to properly validate or sanitize file paths contained within backup archives before extracting them to the filesystem.
When processing a backup archive, the restore functionality blindly trusts the path information embedded within the archive structure. This design flaw allows an attacker to craft a malicious backup archive containing files with directory traversal sequences (such as ../) in their path names. Upon restoration, these files are written to arbitrary locations on the filesystem with the elevated privileges of the ubr-restore process.
The network-accessible nature of this vulnerability combined with the low privilege requirement makes it particularly dangerous in building automation environments where BACnet routers serve as critical infrastructure components. Successful exploitation could enable an attacker to overwrite system configuration files, inject malicious code into startup scripts, or replace firmware components.
Root Cause
The root cause is insufficient input validation in the ubr-restore utility. The backup restoration process fails to:
- Sanitize file paths within backup archives to remove or reject directory traversal sequences
- Validate that extracted files remain within the intended restoration directory
- Implement proper path canonicalization before file write operations
This allows crafted backup archives to escape the intended extraction directory and write files anywhere on the filesystem.
Attack Vector
The attack is network-based and requires only low-level authentication to the affected device. An attacker crafts a malicious backup archive containing files with path traversal sequences embedded in the file path names. When this archive is submitted to the ubr-restore functionality, the files are extracted to locations outside the intended backup restoration directory.
The vulnerability can be exploited by creating a tar or zip archive where file entries include relative path components like ../../etc/shadow or ../../../root/.ssh/authorized_keys. When the privileged restore process extracts these entries, the traversal sequences cause files to be written to arbitrary system locations.
This attack methodology enables:
- Overwriting critical system configuration files
- Planting backdoors or malicious scripts in system startup directories
- Modifying authentication credentials or SSH authorized keys
- Potentially achieving persistent remote access or full device compromise
Detection Methods for CVE-2025-41757
Indicators of Compromise
- Unexpected file creation or modification in system directories outside the normal backup restoration paths
- Suspicious backup restore operations from unauthorized or unusual source IP addresses
- Modified system configuration files, startup scripts, or authentication-related files with timestamps correlating to backup restore activity
- Presence of files containing path traversal sequences (../) in backup logs or temporary directories
Detection Strategies
- Monitor file system events for write operations to sensitive system directories during backup restore operations
- Implement network monitoring to detect backup restore API calls from unauthorized clients
- Deploy file integrity monitoring (FIM) on critical system files to detect unauthorized modifications
- Review audit logs for ubr-restore process activity and correlate with expected administrative operations
Monitoring Recommendations
- Configure alerting for any modifications to /etc/, /root/, and other sensitive system directories
- Implement network segmentation to restrict access to BACnet router management interfaces
- Enable detailed logging on the Universal BACnet Router devices and forward logs to a centralized SIEM for correlation
- Periodically audit backup archives stored on or uploaded to affected devices for suspicious path entries
How to Mitigate CVE-2025-41757
Immediate Actions Required
- Review and restrict network access to UBR device management interfaces to trusted administrative hosts only
- Implement network segmentation to isolate building automation systems from general network access
- Disable backup restore functionality if not actively required until patches can be applied
- Audit existing backup archives for potential malicious content before allowing restoration
Patch Information
MBS Solutions has released a security advisory addressing this vulnerability. Administrators should consult the MBS Solutions Advisory MBS-2025-0001 for official patch information and firmware update instructions.
Apply the latest firmware version that addresses CVE-2025-41757 to all affected Universal BACnet Router devices. Follow vendor-provided upgrade procedures and verify firmware integrity before deployment.
Workarounds
- Restrict network access to the backup restore functionality using firewall rules or access control lists
- Implement strong authentication requirements for administrative functions on affected devices
- Place affected devices behind a VPN or other secure remote access solution to limit exposure
- Monitor and log all backup restore operations for review by security personnel
# Example firewall rule to restrict management access to trusted admin hosts
# Adjust interface and IP addresses for your environment
iptables -A INPUT -i eth0 -p tcp --dport 80 -s 192.168.1.100 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 443 -s 192.168.1.100 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 80 -j DROP
iptables -A INPUT -i eth0 -p tcp --dport 443 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
