CVE-2025-41759 identifies a security vulnerability in the MBS UBR-01 Mk II network device related to improper input validation and failure to fail securely (CWE-636). When an administrator attempts to block all networks by specifying the network identifier as "*" or "all", the device does not recognize these values as valid inputs and does not generate any validation error or warning. Instead, these inputs are silently interpreted as network 0, effectively resulting in no networks being blocked. This behavior constitutes a 'failing open' condition where the security control intended to restrict network access is bypassed due to improper handling of invalid input. The vulnerability requires administrative privileges to exploit, meaning an attacker or insider with admin access can misconfigure the device to leave networks unblocked unintentionally. The CVSS v3.1 base score is 4.9 (medium severity), reflecting the network attack vector, low attack complexity, and high confidentiality impact, but no impact on integrity or availability. No user interaction is required, and the scope is unchanged. There are currently no known exploits in the wild, and no patches have been published. This vulnerability highlights the importance of robust input validation and secure failure modes in network security devices to prevent accidental or malicious misconfigurations that could expose sensitive network segments.

The primary impact of this vulnerability is a confidentiality breach risk due to unintended network access. Organizations relying on the MBS UBR-01 Mk II to enforce network segmentation or block unauthorized networks may find that attempts to block all networks using common wildcard identifiers fail silently, leaving networks exposed. This can allow unauthorized users or attackers to access sensitive network segments that were assumed to be blocked, potentially leading to data leakage or reconnaissance opportunities. Since administrative privileges are required to exploit this issue, the risk is higher in environments where multiple administrators manage the device or where insider threats exist. The lack of integrity and availability impact means the device continues to operate normally, which may delay detection of the misconfiguration. Globally, organizations using this device in critical infrastructure, enterprise networks, or government environments could face increased exposure to network-based attacks or data breaches if this vulnerability is not addressed.

1. Until a vendor patch is available, administrators should avoid using unsupported wildcard identifiers such as "*" or "all" to block networks on the MBS UBR-01 Mk II device. Instead, explicitly specify each network to be blocked using supported identifiers. 2. Implement strict administrative access controls and audit logging to monitor configuration changes on the device to detect potential misuse or misconfiguration attempts. 3. Conduct regular configuration reviews and network segmentation validation to ensure that intended network blocks are effectively enforced. 4. Use external network monitoring and intrusion detection systems to identify unauthorized network access that may result from this vulnerability. 5. Engage with the vendor MBS for updates on patches or firmware releases addressing this issue and plan timely deployment once available. 6. Train network administrators on the correct configuration procedures and the risks of relying on unsupported input values. 7. Consider deploying compensating controls such as firewall rules or network access control lists outside the device to enforce network segmentation robustly.