CVE-2025-41765 is a critical security vulnerability identified in the MBS UBR-01 Mk II device, classified under CWE-862 (Missing Authorization). The root cause is insufficient authorization enforcement on the device's wwwupload.cgi endpoint, which is accessible remotely without requiring authentication or user interaction. This endpoint allows uploading and applying arbitrary data files, including contact images, HTTPS certificates, system backups, server peer configurations, and BACnet/SC server certificates and keys. Because the attacker can upload and apply these files, they can manipulate the device’s configuration, replace trusted certificates, restore malicious backups, or alter server keys, leading to full compromise of device integrity and availability. The vulnerability has a CVSS 3.1 base score of 9.1, indicating a critical severity with network attack vector, low attack complexity, no privileges required, and no user interaction needed. The scope is unchanged but the impact on integrity and availability is high, while confidentiality impact is rated none. Although no public exploits are currently known, the vulnerability’s nature makes it a prime target for attackers aiming to disrupt or control industrial or building automation systems. The affected version is listed as 0.0.0, which likely indicates all current versions or a placeholder, suggesting broad exposure. The lack of available patches at the time of publication increases the urgency for organizations to implement alternative mitigations. The device’s role in managing critical infrastructure components such as BACnet/SC server certificates further elevates the risk profile.

The potential impact of CVE-2025-41765 is severe for organizations worldwide, especially those relying on MBS UBR-01 Mk II devices in industrial, building automation, or critical infrastructure environments. An attacker exploiting this vulnerability can upload malicious or manipulated data to the device, leading to unauthorized configuration changes, replacement of trusted certificates, and restoration of compromised backups. This can result in loss of device integrity, enabling persistent unauthorized control or disruption of services. Availability can also be impacted if the attacker applies corrupted backups or configurations, causing device malfunction or denial of service. The compromise of HTTPS and BACnet/SC certificates can facilitate man-in-the-middle attacks, interception of sensitive communications, or lateral movement within networks. Given the device’s likely deployment in operational technology (OT) environments, exploitation could disrupt critical services such as building management, industrial control systems, or energy distribution. The absence of authentication requirements and user interaction lowers the barrier for attackers, increasing the likelihood of exploitation. The lack of known exploits currently suggests a window of opportunity for defenders to act before widespread attacks occur.

To mitigate CVE-2025-41765, organizations should immediately implement the following specific measures: 1) Restrict network access to the wwwupload.cgi endpoint by applying strict firewall rules or network segmentation to limit exposure only to trusted management networks. 2) Employ intrusion detection/prevention systems (IDS/IPS) to monitor and block unauthorized upload attempts targeting the vulnerable endpoint. 3) If possible, disable or restrict the wwwupload.cgi functionality until a vendor patch is available. 4) Implement strong physical and logical access controls to prevent unauthorized personnel from accessing the device or its management interfaces. 5) Regularly audit device configurations and certificates to detect unauthorized changes or suspicious uploads. 6) Maintain offline, verified backups of device configurations and certificates to enable recovery from compromise. 7) Engage with the vendor (MBS) to obtain timely patches or firmware updates addressing the vulnerability. 8) Consider deploying compensating controls such as application-layer gateways or proxy servers that enforce authentication and authorization on the upload endpoint. 9) Conduct security awareness training for personnel managing these devices to recognize and respond to potential exploitation attempts. These targeted actions go beyond generic advice by focusing on controlling access to the vulnerable interface and monitoring for exploitation attempts in the absence of an immediate patch.