CVE-2025-41755 is a path traversal vulnerability classified under CWE-22 found in the MBS UBR-01 Mk II device. The vulnerability resides in the ubr-logread method within the wwwubr.cgi endpoint, which accepts a parameter intended to specify a log file path such as /tmp/weblog{some_number}. Due to improper validation of this parameter, an attacker with low privileges can manipulate the input to traverse directories and access arbitrary files on the device's filesystem. This flaw allows unauthorized reading of sensitive files, potentially exposing configuration files, credentials, or other critical data stored on the device. The vulnerability can be exploited remotely over the network without requiring user interaction, making it accessible to attackers with network access and low privileges. The CVSS v3.1 score of 6.5 (medium severity) reflects high confidentiality impact but no impact on integrity or availability. No patches or known exploits are currently reported, but the vulnerability poses a risk to organizations relying on this device for network or infrastructure management. The lack of proper input sanitization and insufficient access controls on the file parameter are the root causes. This vulnerability highlights the importance of secure coding practices, especially in embedded or network devices that expose web interfaces.

The primary impact of CVE-2025-41755 is unauthorized disclosure of sensitive information due to arbitrary file read capabilities. Attackers can access configuration files, logs, credentials, or other sensitive data stored on the device, potentially leading to further compromise or lateral movement within a network. While the vulnerability does not allow modification or disruption of device operations, the exposure of confidential data can undermine organizational security postures, especially if critical infrastructure or sensitive environments rely on the MBS UBR-01 Mk II. The ease of remote exploitation without user interaction increases the risk of automated scanning and targeted attacks. Organizations in sectors such as telecommunications, industrial control systems, or government infrastructure using this device may face increased risk of espionage or data leakage. The absence of known exploits currently provides a window for remediation, but the medium severity indicates that timely mitigation is necessary to prevent exploitation.

To mitigate CVE-2025-41755, organizations should implement strict input validation and sanitization on the ubr-logread method parameter to prevent directory traversal sequences (e.g., ../). Employing whitelisting of allowable log file names or paths can effectively block unauthorized file access. Additionally, access controls should be enforced to restrict the files accessible via the web interface to only those necessary for legitimate operations. Network segmentation and firewall rules should limit access to the device’s management interface to trusted administrators and networks. Monitoring and logging access attempts to the wwwubr.cgi endpoint can help detect exploitation attempts. If available, applying vendor patches or firmware updates addressing this vulnerability is critical; if no patches exist, consider compensating controls such as disabling the vulnerable endpoint or replacing the device. Regular security assessments and penetration testing should verify that path traversal and similar vulnerabilities are mitigated. Finally, educating administrators about the risks of exposing management interfaces to untrusted networks can reduce attack surface.