Cyber Resilience

CVE-2025-41761

High

Published: 09 March 2026

Published
09 March 2026
Modified
11 March 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0001 1.5th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-41761 is a high-severity Argument Injection (CWE-88) vulnerability in Mbs-Solutions Universal Bacnet Router Firmware. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Sudo and Sudo Caching (T1548.003); ranked at the 1.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-6 (Least Privilege).

Deeper analysis

CVE-2025-41761 is a privilege escalation vulnerability in the UBR service account, published on 2026-03-09. It stems from the service account being permitted to execute certain binaries, such as tcpdump and ip, with sudo privileges. This misconfiguration allows a low-privileged local attacker with access to the account to escalate to full system access. The issue carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-88 (Improper Neutralization of Argument Delimiters in a Command).

A low-privileged local attacker who obtains access to the UBR service account, such as via SSH, can exploit this vulnerability. By leveraging the sudo permissions on the specified binaries, the attacker achieves privilege escalation, resulting in high-impact compromise of confidentiality, integrity, and availability on the affected system.

Mitigation details are available in the advisory from MBS Solutions at https://www.mbs-solutions.de/mbs-2025-0001.

EU & UK References

Vulnerability details

A low‑privileged local attacker who gains access to the UBR service account (e.g., via SSH) can escalate privileges to obtain full system access. This is due to the service account being permitted to execute certain binaries (e.g., tcpdump and ip)…

more

with sudo.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1548.003 Sudo and Sudo Caching Privilege Escalation
Adversaries may perform sudo caching and/or use the sudoers file to elevate privileges.
Why these techniques?

Direct sudo misconfiguration on binaries (tcpdump/ip) enabling local privilege escalation from service account.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-41765Same product: Mbs-Solutions Ubr-01 Mk Ii
CVE-2025-41756Same product: Mbs-Solutions Ubr-01 Mk Ii
CVE-2025-41767Same product: Mbs-Solutions Ubr-01 Mk Ii
CVE-2025-41758Same product: Mbs-Solutions Ubr-01 Mk Ii
CVE-2025-41764Same product: Mbs-Solutions Ubr-01 Mk Ii
CVE-2025-41766Same product: Mbs-Solutions Ubr-01 Mk Ii
CVE-2025-41757Same product: Mbs-Solutions Ubr-01 Mk Ii
CVE-2025-41772Same product: Mbs-Solutions Ubr-01 Mk Ii
CVE-2026-24061Shared CWE-88
CVE-2026-31230Shared CWE-88

Affected Assets

mbs-solutions
universal bacnet router firmware
≤ 6.0.1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces least privilege by restricting the UBR service account from unnecessary sudo access to binaries like tcpdump and ip, directly preventing privilege escalation.

prevent

Requires management of service accounts including periodic review and approval of privilege assignments, mitigating excessive sudo permissions on the UBR account.

prevent

Mandates secure configuration settings for system components like the sudoers file to prevent misconfigurations enabling privilege escalation via allowed binaries.

References