CVE-2025-41761

High

Published: 09 March 2026

Published

09 March 2026

Modified

11 March 2026

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0001 1.1th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-41761 is a high-severity Argument Injection (CWE-88) vulnerability in Mbs-Solutions Universal Bacnet Router Firmware. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Sudo and Sudo Caching (T1548.003); ranked at the 1.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-6 (Least Privilege).

Threat & Defense at a Glance

What attackers do: exploitation maps to Sudo and Sudo Caching (T1548.003). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-6 Least Privilege good match

prevent

Enforces least privilege by restricting the UBR service account from unnecessary sudo access to binaries like tcpdump and ip, directly preventing privilege escalation.

AC-2 Account Management good match

prevent

Requires management of service accounts including periodic review and approval of privilege assignments, mitigating excessive sudo permissions on the UBR account.

CM-6 Configuration Settings good match

prevent

Mandates secure configuration settings for system components like the sudoers file to prevent misconfigurations enabling privilege escalation via allowed binaries.

MITRE ATT&CK Enterprise TechniquesAI

T1548.003 Sudo and Sudo Caching Privilege Escalation

Adversaries may perform sudo caching and/or use the sudoers file to elevate privileges.

attack.mitre.org →

Why these techniques?

Direct sudo misconfiguration on binaries (tcpdump/ip) enabling local privilege escalation from service account.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A low‑privileged local attacker who gains access to the UBR service account (e.g., via SSH) can escalate privileges to obtain full system access. This is due to the service account being permitted to execute certain binaries (e.g., tcpdump and ip)…

with sudo.

Deeper analysisAI

CVE-2025-41761 is a privilege escalation vulnerability in the UBR service account, published on 2026-03-09. It stems from the service account being permitted to execute certain binaries, such as tcpdump and ip, with sudo privileges. This misconfiguration allows a low-privileged local attacker with access to the account to escalate to full system access. The issue carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-88 (Improper Neutralization of Argument Delimiters in a Command).

A low-privileged local attacker who obtains access to the UBR service account, such as via SSH, can exploit this vulnerability. By leveraging the sudo permissions on the specified binaries, the attacker achieves privilege escalation, resulting in high-impact compromise of confidentiality, integrity, and availability on the affected system.

Mitigation details are available in the advisory from MBS Solutions at https://www.mbs-solutions.de/mbs-2025-0001.

Details

CWE(s): CWE-88

Affected Products

mbs-solutions

universal bacnet router firmware

≤ 6.0.1.0

CVEs Like This One

CVE-2025-41764Same product: Mbs-Solutions Ubr-01 Mk Ii

CVE-2025-41758Same product: Mbs-Solutions Ubr-01 Mk Ii

CVE-2025-41756Same product: Mbs-Solutions Ubr-01 Mk Ii

CVE-2025-41766Same product: Mbs-Solutions Ubr-01 Mk Ii

CVE-2025-41772Same product: Mbs-Solutions Ubr-01 Mk Ii

CVE-2025-41765Same product: Mbs-Solutions Ubr-01 Mk Ii

CVE-2025-41767Same product: Mbs-Solutions Ubr-01 Mk Ii

CVE-2025-41757Same product: Mbs-Solutions Ubr-01 Mk Ii

CVE-2026-26194Shared CWE-88

CVE-2026-22582Shared CWE-88

References

https://www.mbs-solutions.de/mbs-2025-0001
Vendor Advisory · info@cert.vde.com