CVE-2025-41760 Overview
CVE-2025-41760 is a security configuration bypass vulnerability affecting MBS Solutions Universal BACnet Router (UBR) firmware. The vulnerability occurs when an administrator attempts to block all network traffic by configuring a pass filter with an empty table. However, the UBR firmware incorrectly interprets an empty filter list as having no restrictions, allowing all network traffic to pass unfiltered instead of blocking it as intended.
This behavior represents a significant design flaw (CWE-636: Not Failing Securely) in building automation network infrastructure, where administrators may believe they have implemented restrictive network policies when in fact no filtering is occurring.
Critical Impact
Administrators may unknowingly leave BACnet network traffic completely unfiltered, potentially exposing building automation systems to unauthorized access and control.
Affected Products
- MBS Solutions Universal BACnet Router Firmware (all versions)
- MBS Solutions UBR-01 MK II
- MBS Solutions UBR-02
- MBS Solutions UBR-LON
Discovery Timeline
- 2026-03-09 - CVE-2025-41760 published to NVD
- 2026-03-11 - Last updated in NVD database
Technical Details for CVE-2025-41760
Vulnerability Analysis
This vulnerability stems from a fundamental logic flaw in how the Universal BACnet Router processes filter configuration tables. When a pass filter is configured with an empty table, the expected secure behavior would be to deny all traffic (fail-closed). Instead, the UBR firmware implements a fail-open model where an empty filter table results in no filtering being applied whatsoever.
The vulnerability is network-exploitable and requires high privileges (administrator access) to configure the faulty filter. While the direct exploitation requires administrative access, the impact is significant because it creates a false sense of security—administrators believe traffic is being blocked when it is actually flowing freely. This can lead to confidentiality breaches as unauthorized BACnet communications traverse the network unimpeded.
Building automation systems using BACnet protocol are commonly deployed in critical infrastructure environments including commercial buildings, hospitals, and industrial facilities. Misconfigured network filtering in these environments can expose HVAC systems, access control, and other building management functions to unauthorized observation or manipulation.
Root Cause
The root cause is CWE-636: Not Failing Securely (The Opposite of Intended). The UBR firmware's filter implementation does not follow secure design principles. When presented with an empty pass filter configuration, the system defaults to an open state rather than a closed state. This violates the principle of least privilege and secure defaults, where an ambiguous or empty configuration should result in the most restrictive behavior.
Attack Vector
The attack vector is network-based but requires that an administrator has already misconfigured the device with an empty pass filter table. An attacker with network access to the BACnet infrastructure could then:
- Observe that traffic filtering is not being enforced despite administrative configuration
- Send unauthorized BACnet messages through the router
- Perform reconnaissance on building automation devices
- Potentially manipulate building systems if additional controls are absent
The vulnerability does not require user interaction and has a network attack vector. The scope is unchanged, meaning the vulnerable component and impacted component are the same. The primary impact is to confidentiality, as unfiltered network traffic may expose sensitive building automation data and system information.
Detection Methods for CVE-2025-41760
Indicators of Compromise
- BACnet traffic passing through UBR devices despite pass filter configurations being set to empty tables
- Unexpected network communications to or from building automation systems
- Configuration audits revealing empty pass filter tables in UBR devices
- Network traffic analysis showing unfiltered BACnet protocol messages on segments expected to be restricted
Detection Strategies
- Review UBR device configurations for any pass filters configured with empty tables
- Implement network monitoring to verify that filter policies are being enforced as expected
- Conduct periodic configuration audits comparing intended security policy against actual device configuration
- Deploy network traffic analysis tools to monitor BACnet communications and detect anomalous traffic patterns
Monitoring Recommendations
- Enable logging on UBR devices to capture configuration changes and filter policy modifications
- Implement network segmentation monitoring to detect traffic that should be blocked by filter policies
- Set up alerts for configuration changes to pass filter tables on UBR devices
- Monitor BACnet traffic volumes for unexpected increases that may indicate filter bypass
How to Mitigate CVE-2025-41760
Immediate Actions Required
- Audit all MBS Solutions UBR devices for pass filters configured with empty tables
- Replace empty pass filter tables with explicit deny rules or populated allow lists
- Verify filter configurations are functioning as intended through network traffic testing
- Implement network segmentation as a defense-in-depth measure for building automation systems
Patch Information
MBS Solutions has released a security advisory addressing this vulnerability. Administrators should consult the MBS Solutions Security Advisory (MBS-2025-0001) for specific firmware update information and remediation guidance. Check with MBS Solutions for updated firmware versions that properly implement fail-secure behavior for empty filter configurations.
Workarounds
- Never configure pass filters with empty tables; always populate filter tables with explicit rules
- Implement network-level access controls upstream of UBR devices as additional protection
- Use explicit deny-all rules in filter configurations rather than relying on empty table behavior
- Deploy additional monitoring and intrusion detection systems on BACnet network segments
# Configuration verification steps
# 1. Access UBR device management interface
# 2. Navigate to filter configuration section
# 3. Verify all pass filters contain explicit entries
# 4. If empty tables exist, populate with intended rules or remove
# 5. Test filter effectiveness with controlled traffic
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
