Cyber Resilience

CVE-2025-41772

High

Published: 09 March 2026

Published
09 March 2026
Modified
11 March 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0006 18.1th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-41772 is a high-severity Use of HTTP Request With Sensitive Query String (CWE-598) vulnerability in Mbs-Solutions Universal Bacnet Router Firmware. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 18.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-41772 affects the UBR software, specifically the wwwupdate.cgi endpoint, where valid session tokens are exposed in plaintext within URL parameters. This vulnerability, published on 2026-03-09, stems from CWE-598 (use of GET request method with sensitive query strings) and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with low attack complexity and no privileges required.

An unauthenticated remote attacker can exploit this vulnerability over the network by accessing or intercepting URLs that include the wwwupdate.cgi endpoint, allowing them to obtain valid session tokens directly from the plaintext parameters.

Mitigation details are available in the advisory published by MBS Solutions at https://www.mbs-solutions.de/mbs-2025-0001.

EU & UK References

Vulnerability details

An unauthenticated remote attacker can obtain valid session tokens because they are exposed in plaintext within the URL parameters of the wwwupdate.cgi endpoint in UBR.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1552 Unsecured Credentials Credential Access
Adversaries may search compromised systems to find and obtain insecurely stored credentials.
Why these techniques?

Vulnerability in public-facing wwwupdate.cgi endpoint exposes session tokens in plaintext URLs (CWE-598), directly enabling remote exploitation of the web app (T1190) and access to unsecured credentials/tokens (T1552) for session hijacking.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-41765Same product: Mbs-Solutions Ubr-01 Mk Ii
CVE-2025-41767Same product: Mbs-Solutions Ubr-01 Mk Ii
CVE-2025-41764Same product: Mbs-Solutions Ubr-01 Mk Ii
CVE-2025-41766Same product: Mbs-Solutions Ubr-01 Mk Ii
CVE-2025-41758Same product: Mbs-Solutions Ubr-01 Mk Ii
CVE-2025-41757Same product: Mbs-Solutions Ubr-01 Mk Ii
CVE-2025-41756Same product: Mbs-Solutions Ubr-01 Mk Ii
CVE-2025-41761Same product: Mbs-Solutions Ubr-01 Mk Ii
CVE-2026-25118Shared CWE-598
CVE-2026-26721Shared CWE-598

Affected Assets

mbs-solutions
universal bacnet router firmware
≤ 6.0.1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires identification, reporting, and correction of the specific software flaw exposing valid session tokens in plaintext URL parameters of the wwwupdate.cgi endpoint.

prevent

Mandates protecting authenticator content, such as session tokens, from unauthorized disclosure, directly addressing their exposure in plaintext URL parameters.

prevent

Implements cryptographic mechanisms to protect confidentiality of transmitted session tokens, mitigating interception even when included in URL parameters.

References