CVE-2025-41765 is a critical security vulnerability identified in the MBS UBR-01 Mk II device, stemming from CWE-862: Missing Authorization. The flaw exists in the wwwupload.cgi endpoint, which lacks proper authorization checks, allowing an unauthenticated remote attacker to upload arbitrary data to the device. This includes highly sensitive data types such as contact images, HTTPS certificates, system backups used for restoration, server peer configurations, and BACnet/SC server certificates and keys. Exploitation of this vulnerability can lead to unauthorized modification or replacement of critical device files, potentially enabling attackers to manipulate device behavior, intercept or spoof communications, or cause denial of service. The vulnerability is remotely exploitable over the network without any authentication or user interaction, as reflected in its CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N). The CVSS base score of 9.1 classifies it as critical, highlighting the severe impact on integrity and availability, though confidentiality impact is rated none. The vulnerability was published in March 2026, with no patches currently available and no known exploits in the wild. The device’s role in BACnet/SC environments suggests that exploitation could have significant implications for building automation and industrial control systems. The lack of authorization enforcement indicates a fundamental security design flaw, necessitating urgent remediation efforts.

The impact of CVE-2025-41765 is severe for organizations deploying the MBS UBR-01 Mk II, especially those in critical infrastructure sectors such as building automation, industrial control, and facilities management that utilize BACnet/SC protocols. Successful exploitation allows attackers to upload and apply arbitrary data, including system backups and cryptographic keys, which can lead to complete device compromise. This could result in unauthorized control over device functions, manipulation of network communications, and disruption of services, potentially causing operational downtime and safety risks. The ability to replace HTTPS certificates and server keys also opens avenues for man-in-the-middle attacks and persistent unauthorized access. Since no authentication or user interaction is required, the attack surface is broad, increasing the likelihood of exploitation if devices are exposed to untrusted networks. The absence of patches further elevates risk, making mitigation challenging. Organizations worldwide relying on these devices face potential confidentiality, integrity, and availability breaches, with cascading effects on dependent systems and processes.

Given the absence of an official patch, organizations should immediately implement compensating controls to mitigate this vulnerability. These include restricting network access to the MBS UBR-01 Mk II devices by placing them behind firewalls or network segmentation to limit exposure of the wwwupload.cgi endpoint to trusted management networks only. Employ strict access control lists (ACLs) and VPNs for remote management to prevent unauthorized external access. Monitor device logs and network traffic for unusual upload activity or unauthorized configuration changes. If possible, disable or restrict the wwwupload.cgi endpoint until a patch is available. Conduct regular backups of device configurations and system states to enable recovery from potential compromise. Engage with the vendor for updates and apply patches promptly once released. Additionally, perform security audits and penetration testing focused on device management interfaces to identify other potential weaknesses. Educate operational technology (OT) and IT teams about this vulnerability to ensure rapid detection and response.