CVE-2025-41761 is a vulnerability classified under CWE-88, which involves improper neutralization of argument delimiters in command execution, commonly referred to as argument injection. This vulnerability affects the MBS UBR-01 Mk II device, specifically its UBR service account. The service account is allowed to execute certain binaries such as tcpdump and ip with sudo privileges. However, the commands executed do not properly sanitize or neutralize argument delimiters, allowing a low-privileged local attacker who has gained access to the service account (for example, through SSH) to inject malicious arguments. This injection can escalate the attacker's privileges from the service account level to full system root access. The vulnerability does not require user interaction and has a low attack complexity, but it does require local access to the service account. The impact includes full compromise of confidentiality, integrity, and availability of the affected system. Although no public exploits are currently known and no patches have been released, the vulnerability poses a significant risk due to the elevated privileges granted to the service account and the nature of the injection flaw. The CVSS v3.1 score of 7.8 reflects a high severity, with attack vector local, low attack complexity, privileges required low, no user interaction, and high impact on confidentiality, integrity, and availability.

The vulnerability allows an attacker with low-privileged local access to escalate privileges to full system control, leading to complete compromise of the affected device. This can result in unauthorized data access, manipulation, or destruction, disruption of network services, and potential pivoting to other systems within the network. For organizations relying on the MBS UBR-01 Mk II, this could mean critical infrastructure disruption, loss of sensitive information, and significant operational downtime. Since the vulnerability involves binaries like tcpdump and ip, attackers could manipulate network traffic monitoring or routing configurations, further amplifying the impact. The lack of patches and known exploits increases the urgency for organizations to implement mitigations proactively. The high CVSS score indicates a serious threat that could be exploited by insiders or attackers who have gained initial foothold, making it a critical concern for network security and system integrity.

1. Immediately restrict SSH and local access to the UBR service account to trusted personnel only. 2. Implement strict access controls and monitoring on the service account usage, including logging all sudo command executions. 3. Use sudoers configuration to limit the commands and arguments the service account can execute, employing command whitelisting and argument filtering where possible. 4. Employ application whitelisting or mandatory access control (e.g., SELinux, AppArmor) to restrict execution of unauthorized binaries. 5. Monitor network and system logs for unusual activity related to tcpdump, ip, or other binaries run by the service account. 6. If feasible, isolate the UBR-01 Mk II device on a segmented network to reduce exposure. 7. Engage with the vendor (MBS) for updates or patches and apply them promptly once available. 8. Conduct regular security audits and penetration testing focusing on privilege escalation vectors. 9. Consider deploying endpoint detection and response (EDR) solutions to detect anomalous command execution patterns. 10. Educate administrators about the risks of argument injection and the importance of secure sudo configurations.