CVE-2025-41764

Critical

Published: 09 March 2026

Published

09 March 2026

Modified

11 March 2026

KEV Added

—

Patch

—

CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

EPSS Score 0.0005 14.0th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-41764 is a critical-severity Missing Authorization (CWE-862) vulnerability in Mbs-Solutions Universal Bacnet Router Firmware. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations for access to the wwwupdate.cgi endpoint, directly preventing unauthorized remote attackers from uploading and applying arbitrary updates.

CM-5 Access Restrictions for Change good match

prevent

Authorizes and manages access to system components for implementing changes, such as restricting who can upload and apply updates via the vulnerable endpoint.

AC-14 Permitted Actions Without Identification or Authentication good match

prevent

Prohibits sensitive actions like update uploads without identification and authentication, addressing the insufficient authorization enforcement in wwwupdate.cgi.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability in the public wwwupdate.cgi endpoint allows unauthenticated remote upload/apply of arbitrary updates due to missing authorization, directly enabling T1190.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Due to insufficient authorization enforcement, an unauthorized remote attacker can exploit the wwwupdate.cgi endpoint to upload and apply arbitrary updates.

Deeper analysisAI

CVE-2025-41764 is a critical vulnerability (CVSS score 9.1, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H) caused by insufficient authorization enforcement (CWE-862) in the wwwupdate.cgi endpoint. Published on 2026-03-09, it enables an unauthorized remote attacker to upload and apply arbitrary updates to the affected component.

Any unauthenticated attacker with network access can exploit the wwwupdate.cgi endpoint with low complexity and no user interaction required. Successful exploitation allows the attacker to upload and apply arbitrary updates, resulting in high integrity and availability impacts.

Mitigation details are available in the vendor advisory at https://www.mbs-solutions.de/mbs-2025-0001.

Details

CWE(s): CWE-862

Affected Products

mbs-solutions

universal bacnet router firmware

≤ 6.0.1.0

CVEs Like This One

CVE-2025-41765Same product: Mbs-Solutions Ubr-01 Mk Ii

CVE-2025-41767Same product: Mbs-Solutions Ubr-01 Mk Ii

CVE-2025-41766Same product: Mbs-Solutions Ubr-01 Mk Ii

CVE-2025-41772Same product: Mbs-Solutions Ubr-01 Mk Ii

CVE-2025-41758Same product: Mbs-Solutions Ubr-01 Mk Ii

CVE-2025-41757Same product: Mbs-Solutions Ubr-01 Mk Ii

CVE-2025-41756Same product: Mbs-Solutions Ubr-01 Mk Ii

CVE-2025-41761Same product: Mbs-Solutions Ubr-01 Mk Ii

CVE-2025-67974Shared CWE-862

CVE-2026-28254Shared CWE-862

References

https://www.mbs-solutions.de/mbs-2025-0001
Vendor Advisory · info@cert.vde.com