CVE-2025-41761 is a vulnerability classified under CWE-88, which pertains to improper neutralization of argument delimiters leading to command injection. The affected product is the MBS UBR-01 Mk II, a network device or appliance. The vulnerability arises because the UBR service account, which operates with low privileges, is allowed to execute certain binaries such as tcpdump and ip with elevated privileges via sudo. An attacker who gains local access to this service account—commonly through SSH—can craft malicious arguments that exploit the improper handling of command delimiters. This allows the attacker to inject arbitrary commands, effectively escalating privileges from the service account to full system root access. The CVSS v3.1 base score is 7.8, indicating high severity, with metrics AV:L (local attack vector), AC:L (low attack complexity), PR:L (low privileges required), UI:N (no user interaction), S:U (unchanged scope), and high impact on confidentiality, integrity, and availability. No patches are currently listed, and no exploits have been observed in the wild, but the vulnerability represents a critical risk due to the potential for complete system compromise once local access is obtained.

The primary impact of this vulnerability is full system compromise of the MBS UBR-01 Mk II device by a low-privileged local attacker. This can lead to unauthorized access to sensitive network data, disruption of network services, and potential lateral movement within an organization's infrastructure. Since the device likely plays a role in network routing or monitoring, attackers could intercept or manipulate network traffic, degrade service availability, or establish persistent footholds. Organizations relying on these devices for critical network functions face risks including data breaches, operational downtime, and loss of trust. The requirement for local access limits remote exploitation but does not eliminate risk, as attackers who gain initial footholds via compromised credentials or other means can leverage this vulnerability to escalate privileges and deepen their control.

To mitigate this vulnerability, organizations should immediately audit and restrict sudo permissions for the UBR service account, ensuring it cannot execute binaries like tcpdump and ip with elevated privileges unless absolutely necessary. Implement strict access controls and monitoring on SSH and other local access methods to prevent unauthorized logins to the service account. Employ multi-factor authentication and strong credential management to reduce the risk of account compromise. Network segmentation can limit the exposure of vulnerable devices. Since no patches are currently available, consider isolating affected devices or replacing them with updated hardware or firmware versions once released. Regularly monitor logs for suspicious activity related to the service account and binaries involved. Engage with the vendor for updates and apply security advisories promptly when patches become available.