CVE-2025-41755 is a CWE-22 path traversal vulnerability found in the MBS UBR-01 Mk II product. The flaw exists in the ubr-logread method within the wwwubr.cgi interface, which accepts a parameter to specify which log file to read, typically files like /tmp/weblog{some_number}. Due to improper validation of this parameter, an attacker with low privileges can manipulate the input to traverse directories and access arbitrary files on the device's filesystem. This vulnerability allows remote attackers to read sensitive files without authentication or user interaction, potentially exposing configuration files, credentials, or other confidential data stored on the device. The vulnerability has a CVSS 3.1 base score of 6.5, reflecting its medium severity, with network attack vector, low attack complexity, and no user interaction required. The impact is limited to confidentiality, as the vulnerability does not permit modification or denial of service. No patches or known exploits are currently available, but the flaw poses a significant risk to organizations relying on the affected device for network operations or infrastructure management.

The primary impact of CVE-2025-41755 is unauthorized disclosure of sensitive information due to arbitrary file read capabilities. Attackers can leverage this vulnerability to access configuration files, logs, credentials, or other sensitive data stored on the device, potentially facilitating further attacks such as privilege escalation or lateral movement within a network. For organizations using the MBS UBR-01 Mk II, especially in critical infrastructure or telecommunications, this could lead to exposure of operational details or security parameters. Although the vulnerability does not allow modification or disruption of services, the confidentiality breach alone can have severe consequences, including compliance violations, reputational damage, and increased risk of subsequent attacks. The ease of exploitation over the network without user interaction increases the threat level, particularly in environments where these devices are exposed or insufficiently segmented.

To mitigate CVE-2025-41755, organizations should implement the following specific measures: 1) Immediately restrict network access to the wwwubr.cgi interface, limiting it to trusted management networks or VPNs to reduce exposure. 2) Employ strict input validation and sanitization on parameters accepted by the ubr-logread method to prevent directory traversal sequences such as '../'. 3) Implement file access controls and sandboxing to ensure that the web interface can only read intended log files within a designated directory. 4) Monitor device logs and network traffic for unusual access patterns or attempts to exploit path traversal. 5) Engage with the vendor (MBS) to obtain patches or firmware updates addressing this vulnerability as soon as they become available. 6) As an interim measure, consider disabling the vulnerable functionality if it is not essential to operations. 7) Conduct regular security assessments and penetration tests focusing on web interface vulnerabilities to detect similar issues proactively.