CVE-2025-41760 identifies a security vulnerability classified under CWE-636 (Not Failing Securely) in the MBS UBR-01 Mk II network device. The vulnerability arises from the device's handling of pass filter configurations: when an administrator attempts to block all traffic by setting an empty pass filter table, the device does not enforce any restrictions. Instead, it defaults to allowing all network traffic to pass unfiltered, effectively 'failing open.' This behavior undermines the intended security posture by negating the administrator's configuration to block traffic, potentially exposing the network to unauthorized access or data leakage. The vulnerability requires administrative privileges to configure the pass filter, meaning an attacker must already have elevated access to exploit it. The CVSS v3.1 base score is 4.9 (medium severity), reflecting the high impact on confidentiality but no impact on integrity or availability, with low attack complexity and no user interaction needed. No patches or known exploits currently exist, and the vulnerability was published in March 2026. This issue highlights a critical design flaw in the device's filtering logic, where an empty filter list is interpreted as 'allow all' rather than 'deny all,' violating the principle of secure failure. Organizations using the UBR-01 Mk II must be cautious when configuring pass filters and monitor for updates from MBS to address this flaw.

The primary impact of CVE-2025-41760 is the potential exposure of sensitive network traffic due to the device allowing all traffic when an empty pass filter is configured. This compromises confidentiality by permitting unauthorized data flows that should have been blocked. While integrity and availability are not directly affected, the lack of enforced filtering can facilitate reconnaissance, data exfiltration, or lateral movement by attackers who have gained administrative access. The vulnerability undermines trust in the device's security controls, potentially leading to compliance violations and increased risk of data breaches. Organizations relying on the UBR-01 Mk II for perimeter or internal network filtering may find their security posture weakened, especially in environments requiring strict traffic segmentation. The requirement for administrative privileges to exploit limits the attack surface but does not eliminate risk, particularly if credential compromise or insider threats exist. The absence of patches means the vulnerability may persist until addressed by the vendor, necessitating interim mitigations. Overall, the vulnerability can lead to significant confidentiality breaches and operational risks for organizations worldwide using this device.

To mitigate CVE-2025-41760, organizations should avoid configuring empty pass filter tables on the MBS UBR-01 Mk II device, as this results in unfiltered traffic passage. Instead, explicitly define pass filters with specific allowed traffic rules to ensure proper enforcement. Implement strict access controls and monitoring on administrative interfaces to prevent unauthorized configuration changes. Employ network segmentation and additional filtering layers, such as external firewalls or intrusion prevention systems, to compensate for the device's filtering shortcomings. Regularly audit device configurations to detect any empty or misconfigured pass filters. Engage with MBS support channels to obtain updates on patches or firmware releases addressing this vulnerability and apply them promptly once available. Consider deploying network traffic monitoring solutions to detect anomalous flows that may indicate exploitation attempts. Finally, incorporate this vulnerability into risk assessments and incident response plans to prepare for potential exploitation scenarios.