CVE-2025-41761

A low‑privileged local attacker who gains access to the UBR service account (e.g., via SSH) can escalate privileges to obtain full system access. This is due to the service account being permitted to execute certain binaries (e.g., tcpdump and ip) with sudo.

CVSS v3 7.8 HIGH

7.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://www.mbs-solutions.de/mbs-2025-0001	Vendor Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:mbs-solutions:universal_bacnet_router_firmware:*:*:*:*:*:*:*:*

OR	cpe:2.3:h:mbs-solutions:ubr-01_mk_ii:-:::::::*
	cpe:2.3:h:mbs-solutions:ubr-02:-:::::::*
	cpe:2.3:h:mbs-solutions:ubr-lon:-:::::::*

History

No history.

Information

Published : 2026-03-09 09:16

Updated : 2026-03-11 18:27

NVD link : CVE-2025-41761

Mitre link : CVE-2025-41761

CVE.ORG link : CVE-2025-41761

JSON object : View

Products Affected

mbs-solutions

ubr-lon
universal_bacnet_router_firmware
ubr-02
ubr-01_mk_ii

CWE

CWE-88

Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

{"id": "CVE-2025-41761", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "info@cert.vde.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2026-03-09T09:16:00.263", "references": [{"url": "https://www.mbs-solutions.de/mbs-2025-0001", "tags": ["Vendor Advisory"], "source": "info@cert.vde.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "info@cert.vde.com", "description": [{"lang": "en", "value": "CWE-88"}]}], "descriptions": [{"lang": "en", "value": "A low\u2011privileged local attacker who gains access to the UBR service account (e.g., via SSH) can escalate privileges to obtain full system access. This is due to the service account being permitted to execute certain binaries (e.g., tcpdump and ip) with sudo."}, {"lang": "es", "value": "Un atacante local con pocos privilegios que obtiene acceso a la cuenta de servicio UBR (p. ej., a trav\u00e9s de SSH) puede escalar privilegios para obtener acceso completo al sistema. Esto se debe a que a la cuenta de servicio se le permite ejecutar ciertos binarios (p. ej., tcpdump e ip) con sudo."}], "lastModified": "2026-03-11T18:27:21.243", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:mbs-solutions:universal_bacnet_router_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D4E2B246-5465-41DB-BD9A-1533A7508790", "versionEndExcluding": "6.0.1.0"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:mbs-solutions:ubr-01_mk_ii:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "0D812069-6738-4B82-992B-09BB239783AB"}, {"criteria": "cpe:2.3:h:mbs-solutions:ubr-02:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "B21413DE-E1FA-4B5C-A415-F8E70D7090BF"}, {"criteria": "cpe:2.3:h:mbs-solutions:ubr-lon:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "E0C67EAC-C633-4037-B2C4-965455FFF2A0"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "info@cert.vde.com"}