CVE-2025-41759 is a vulnerability classified under CWE-636 (Not Failing Securely) affecting the MBS UBR-01 Mk II network device. The issue arises when an administrator attempts to block all networks by specifying wildcard identifiers such as '*' or 'all'. These values are not supported by the device's configuration validation logic and do not trigger any error or warning. Instead, the device silently interprets these inputs as network 0, effectively resulting in no networks being blocked. This behavior constitutes a failure to fail securely, as the intended security policy (blocking all networks) is not enforced, leading to a security bypass. The vulnerability requires administrator privileges to exploit but does not require user interaction. The CVSS v3.1 base score is 4.9 (medium severity), reflecting the network attack vector with low complexity and high confidentiality impact, but no impact on integrity or availability. The vulnerability could allow an attacker with administrative access to bypass network restrictions, potentially exposing sensitive network segments or data. No public exploits or patches are currently available, but the issue is documented and published by CERTVDE. The affected product version is 0.0.0, indicating the initial or early release version of the device firmware or software. This vulnerability highlights the importance of proper input validation and secure failure modes in network device configuration management.

The primary impact of CVE-2025-41759 is the bypass of network blocking policies on the MBS UBR-01 Mk II device. Organizations relying on this device to enforce network segmentation or restrict access to sensitive networks may find that their intended security controls are ineffective if administrators use unsupported wildcard identifiers. This can lead to unauthorized access to confidential network segments, increasing the risk of data exposure or interception. Since the vulnerability does not affect integrity or availability, the threat is mainly to confidentiality. The requirement for administrative privileges limits the attack surface to insiders or attackers who have already compromised administrative credentials. However, the ease of exploitation once admin access is obtained and the silent failure mode increase the risk of unnoticed security policy violations. This can undermine trust in network security controls and complicate incident response. The lack of user interaction and remote network attack vector means that attackers with admin access can exploit this vulnerability without additional conditions. Overall, the vulnerability can facilitate lateral movement or data exfiltration in targeted environments.

To mitigate CVE-2025-41759, administrators should avoid using unsupported wildcard network identifiers such as '*' or 'all' when configuring network blocks on the MBS UBR-01 Mk II device. Instead, explicitly specify the exact network identifiers to be blocked to ensure proper enforcement. Network device configuration should be audited regularly to detect any misconfigurations or ineffective policies. Vendors should be engaged to provide patches or firmware updates that validate input correctly and fail securely by rejecting unsupported values with explicit errors. Until patches are available, organizations should implement compensating controls such as network monitoring and anomaly detection to identify unauthorized network access. Restrict administrative access to trusted personnel and enforce strong authentication and logging to detect misuse. Additionally, consider segmenting administrative interfaces on isolated management networks to reduce exposure. Finally, document and train administrators on the correct configuration procedures to prevent accidental use of unsupported values.