CVE-2025-41756

High

Published: 09 March 2026

Published

09 March 2026

Modified

11 March 2026

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

EPSS Score 0.0004 12.0th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-41756 is a high-severity Inclusion of Undocumented Features or Chicken Bits (CWE-1242) vulnerability in Mbs-Solutions Universal Bacnet Router Firmware. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Web Shell (T1505.003); ranked at the 12.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Web Shell (T1505.003). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

CM-7 Least Functionality good match

prevent

Prohibits or restricts unused and undocumented API endpoints like ubr-editfile in wwwubr.cgi, preventing low-privileged remote attackers from exploiting them for arbitrary file writes.

SI-10 Information Input Validation good match

prevent

Validates inputs to the ubr-editfile method to block arbitrary file paths and contents, directly mitigating the file write vulnerability.

SI-2 Flaw Remediation good match

prevent

Remediates the specific flaw in wwwubr.cgi's ubr-editfile endpoint through identification, patching, and verification, eliminating the arbitrary file write capability.

MITRE ATT&CK Enterprise TechniquesAI

T1505.003 Web Shell Persistence

Adversaries may backdoor web servers with web shells to establish persistent access to systems.

attack.mitre.org →

Why these techniques?

Arbitrary file write via web CGI endpoint directly enables deployment of web shells (T1505.003) for persistence and code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A low-privileged remote attacker can exploit the ubr-editfile method in wwwubr.cgi, an undocumented and unused API endpoint to write arbitrary files on the system.

Deeper analysisAI

CVE-2025-41756 is a vulnerability in the wwwubr.cgi component, specifically the undocumented and unused ubr-editfile API endpoint, that allows a low-privileged remote attacker to write arbitrary files on the affected system. Published on 2026-03-09, it has a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H) and is associated with CWE-1242.

A low-privileged remote attacker can exploit this vulnerability over the network with low attack complexity and no user interaction required. Successful exploitation enables arbitrary file writes on the system, granting high-impact modifications to integrity and availability, which could facilitate privilege escalation, persistence, or further system compromise depending on the targeted files and locations.

The primary advisory reference is available at https://www.mbs-solutions.de/mbs-2025-0001, which details mitigation strategies for this issue.

Details

CWE(s): CWE-1242

Affected Products

mbs-solutions

universal bacnet router firmware

≤ 6.0.1.0

CVEs Like This One

CVE-2025-41758Same product: Mbs-Solutions Ubr-01 Mk Ii

CVE-2025-41766Same product: Mbs-Solutions Ubr-01 Mk Ii

CVE-2025-41767Same product: Mbs-Solutions Ubr-01 Mk Ii

CVE-2025-41764Same product: Mbs-Solutions Ubr-01 Mk Ii

CVE-2025-41757Same product: Mbs-Solutions Ubr-01 Mk Ii

CVE-2025-41772Same product: Mbs-Solutions Ubr-01 Mk Ii

CVE-2025-41765Same product: Mbs-Solutions Ubr-01 Mk Ii

CVE-2025-41761Same product: Mbs-Solutions Ubr-01 Mk Ii

CVE-2023-3634Shared CWE-1242

References

https://www.mbs-solutions.de/mbs-2025-0001
Vendor Advisory · info@cert.vde.com