CVE-2025-41765: Universal BACnet Router Auth Bypass Flaw

CVE-2025-41765 Overview

CVE-2025-41765 is a missing authorization vulnerability [CWE-862] in MBS Solutions Universal BACnet Router firmware. The wwwupload.cgi endpoint fails to enforce authorization checks on incoming upload requests. An unauthenticated remote attacker can send crafted HTTP requests to upload and apply arbitrary data to the device.

The accepted upload types include contact images, HTTPS certificates, system backups for restoration, server peer configurations, and BACnet/SC server certificates and keys. The flaw affects the UBR-01 MK II, UBR-02, and UBR-LON hardware models running the Universal BACnet Router firmware.

Critical Impact

Unauthenticated attackers can replace certificates, restore arbitrary system backups, and overwrite BACnet/SC trust material, enabling full compromise of building automation traffic.

Affected Products

• MBS Solutions Universal BACnet Router Firmware
• MBS Solutions UBR-01 MK II
• MBS Solutions UBR-02
• MBS Solutions UBR-LON

Discovery Timeline

• 2026-03-09 - CVE-2025-41765 published to the National Vulnerability Database
• 2026-03-11 - Last updated in NVD database

Technical Details for CVE-2025-41765

Vulnerability Analysis

The vulnerability resides in the wwwupload.cgi CGI handler exposed by the device web interface. The handler dispatches uploaded files to multiple privileged subsystems based on a request parameter, including certificate stores, backup restore routines, and BACnet Secure Connect (BACnet/SC) credential storage.

The endpoint accepts and processes these uploads without verifying that the request carries a valid authenticated session or administrative role. An attacker reaching the device over the network can therefore drive any upload path the legitimate web UI exposes. Because BACnet routers commonly sit on operational technology (OT) networks bridging IP and BACnet segments, successful exploitation can pivot from the management interface into building automation traffic.

Root Cause

The root cause is missing authorization enforcement on a sensitive HTTP endpoint, classified as [CWE-862]. The application checks neither session state nor user privilege before applying uploaded artifacts to the running configuration.

Attack Vector

Exploitation requires only network reachability to the device HTTP service. No credentials, user interaction, or special conditions are needed. An attacker submits an HTTP POST to wwwupload.cgi selecting the target upload category and supplies the payload, which the device then writes and applies. Replacing the HTTPS certificate enables man-in-the-middle interception, restoring a crafted backup allows full configuration takeover, and overwriting BACnet/SC keys compromises secure BACnet sessions.

No public proof-of-concept exploit is currently available. Refer to the MBS Solutions Security Advisory for vendor technical details.

Detection Methods for CVE-2025-41765

Indicators of Compromise

• Unexpected HTTP POST requests to wwwupload.cgi originating from non-administrative source addresses.
• Unscheduled changes to the device HTTPS certificate, BACnet/SC certificates, or server peer configuration.
• Configuration restore events in device logs that do not correlate with authorized maintenance activity.
• Newly installed contact images or system backups arriving outside of change-control windows.

Detection Strategies

• Inspect web server and reverse proxy logs for requests targeting wwwupload.cgi and alert on unauthenticated or anomalous sources.
• Baseline certificate fingerprints presented by each router and alert on rotation events that bypass the change process.
• Monitor BACnet/SC sessions for sudden certificate or key changes and unexpected re-negotiation patterns.

Monitoring Recommendations

• Forward router HTTP, audit, and configuration-change logs to a centralized SIEM with retention sufficient for OT incident review.
• Capture north-south traffic to the router management VLAN and review POST volume to CGI endpoints on a recurring cadence.
• Track firmware version inventories across all UBR-01 MK II, UBR-02, and UBR-LON devices to identify unpatched units.

How to Mitigate CVE-2025-41765

Immediate Actions Required

• Restrict network access to the router web interface to a dedicated management network or jump host using firewall rules and access control lists.
• Apply the firmware update referenced in the MBS Solutions Security Advisory as soon as it is available for the affected model.
• Rotate HTTPS certificates, BACnet/SC certificates and keys, and any server peer credentials that may have been exposed prior to patching.
• Audit device configuration, restored backups, and uploaded contact images against a known-good baseline.

Patch Information

MBS Solutions has issued advisory mbs-2025-0001 covering the Universal BACnet Router firmware for UBR-01 MK II, UBR-02, and UBR-LON. Consult the MBS Solutions Security Advisory for fixed firmware versions and upgrade instructions specific to each hardware revision.

Workarounds

• Block external access to TCP ports serving the device web interface at the perimeter firewall until firmware is updated.
• Place the routers behind a VPN or bastion that enforces strong authentication before any HTTP requests reach the device.
• Disable or remove network paths between general-purpose IT segments and the OT segment hosting the BACnet routers.

# Example: restrict management access to the router web UI to an admin subnet
iptables -A INPUT -p tcp --dport 443 -s 10.10.50.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP
iptables -A INPUT -p tcp --dport 80  -s 10.10.50.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 80  -j DROP