CVE-2025-41760 identifies a security vulnerability in the MBS UBR-01 Mk II network device related to improper handling of empty pass filter configurations. Specifically, when an administrator attempts to block all traffic by setting a pass filter with an empty table, the device does not enforce any restrictions and instead allows all traffic to pass unfiltered. This behavior is classified under CWE-636, which describes failures to fail securely, often resulting in 'failing open' conditions. The vulnerability requires administrative privileges to configure the filter but does not require any user interaction to be exploited. The CVSS 3.1 base score is 4.9 (medium severity), reflecting the network attack vector, low complexity, and high confidentiality impact, but no impact on integrity or availability. The flaw can lead to unintended exposure of sensitive network traffic, undermining confidentiality protections. No patches or known exploits are currently available, and the affected version is listed as 0.0.0, indicating the initial or unspecified firmware version. The vulnerability highlights a critical design flaw in the device's filtering logic, where an empty filter list is treated as permissive rather than restrictive, potentially allowing attackers or unauthorized users to access sensitive data or bypass network segmentation controls.

The primary impact of CVE-2025-41760 is the potential exposure of sensitive network traffic due to the device allowing all traffic when an empty pass filter is configured. This undermines confidentiality protections and could facilitate data leakage or unauthorized access to internal network segments. Organizations using the MBS UBR-01 Mk II as a security boundary or traffic filter may inadvertently allow malicious or unauthorized traffic if the empty filter misconfiguration occurs. While the vulnerability does not affect integrity or availability directly, the loss of confidentiality can have serious consequences, including data breaches, compliance violations, and increased risk of lateral movement by attackers. The requirement for administrative privileges to configure the filter limits exploitation to insiders or attackers who have already gained elevated access. However, the ease of misconfiguration and lack of fail-secure behavior increase the risk of accidental exposure. Given the device’s role in network traffic filtering, critical infrastructure, government, and enterprises relying on this product could face significant risks if this vulnerability is not addressed.

1. Avoid configuring pass filters with empty tables on the MBS UBR-01 Mk II device to prevent the fail-open condition. 2. Implement strict change management and configuration review processes to detect and prevent misconfigurations involving empty filter lists. 3. Monitor network traffic for unexpected or unauthorized flows that could indicate filter bypass. 4. Segregate administrative access to the device to trusted personnel only, minimizing the risk of accidental or malicious misconfiguration. 5. Engage with the vendor MBS to obtain firmware updates or patches addressing this vulnerability once released. 6. Consider deploying additional network security controls such as intrusion detection/prevention systems (IDS/IPS) or next-generation firewalls to provide layered defense in case of filter failure. 7. Conduct regular security audits and penetration testing focused on network filtering rules and device configurations to identify similar fail-open conditions. 8. Document and train network administrators on the correct use of filtering configurations and the risks associated with empty filter lists.