CVE-2025-41765

CRITICAL 9.1

Unchecked role in wwwupload.cgi

CVSS Score

9.1

EPSS Score

0.0%

EPSS Percentile

0th

Due to insufficient authorization enforcement, an unauthorized remote attacker can exploit the wwwupload.cgi endpoint to upload and apply arbitrary data. This includes, but is not limited to, contact images, HTTPS certificates, system backups for restoration, server peer configurations, and BACnet/SC server certificates and keys.

CWE	CWE-862
Vendor	mbs
Product	ubr-01 mk ii
Published	Mar 9, 2026
Last Updated	Mar 9, 2026

Stay Ahead of the Next One

Get instant alerts for mbs ubr-01 mk ii

Be the first to know when new critical vulnerabilities affecting mbs ubr-01 mk ii are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

High

Affected Versions

MBS / UBR-01 Mk II

0.0.0 < 6.0.1.0

MBS / UBR-02

0.0.0 < 6.0.1.0

MBS / UBR-LON

0.0.0 < 6.0.1.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

mbs-solutions.de: https://www.mbs-solutions.de/mbs-2025-0001

Credits

Adrien Rey from Cyber Defense Campus Zurich Daniel Hulliger from Armasuisse