CVE-2025-41772 is a vulnerability identified in the MBS UBR-01 Mk II device, specifically in the wwwupdate.cgi endpoint. The core issue is the use of the HTTP GET request method to transmit sensitive session tokens as query parameters in the URL. According to CWE-598, using GET requests with sensitive data is insecure because URLs can be logged in browser history, server logs, network devices, and proxies, exposing sensitive information to unauthorized parties. In this case, valid session tokens are exposed in plaintext within the URL, allowing unauthenticated remote attackers to intercept or retrieve these tokens without any authentication or user interaction. This enables attackers to hijack sessions or gain unauthorized access to the device's management interface or services relying on these tokens. The vulnerability affects version 0.0.0 of the product, with no patches currently available. The CVSS 3.1 base score is 7.5, reflecting high severity due to the ease of exploitation (network accessible, no privileges or user interaction required) and the high confidentiality impact. Integrity and availability impacts are rated as none. Although no exploits have been reported in the wild, the exposure of session tokens in URLs represents a significant security risk, especially in environments where these devices manage critical infrastructure or sensitive data. The vulnerability was reserved in April 2025 and published in March 2026 by CERTVDE.

The primary impact of this vulnerability is the compromise of confidentiality through session token leakage. Attackers can obtain valid session tokens without authentication, enabling unauthorized access to the affected device's management interfaces or services. This can lead to unauthorized configuration changes, data exposure, or further lateral movement within a network. While integrity and availability are not directly impacted, the unauthorized access enabled by token theft can indirectly lead to malicious modifications or service disruptions. Organizations deploying MBS UBR-01 Mk II devices in critical infrastructure, telecommunications, or enterprise networks face increased risk of targeted attacks. The ease of exploitation and network accessibility mean that attackers can remotely compromise devices without user interaction, increasing the likelihood of automated scanning and exploitation attempts once the vulnerability becomes widely known. The lack of patches further elevates risk, necessitating immediate mitigation efforts.

1. Immediately restrict access to the wwwupdate.cgi endpoint by implementing network-level controls such as firewall rules or VPN-only access to management interfaces. 2. Disable or limit the use of HTTP GET requests for sensitive operations; if possible, configure the device or update firmware to use POST requests or other secure methods that do not expose tokens in URLs. 3. Implement strict logging and monitoring of access to the vulnerable endpoint to detect suspicious activity or token harvesting attempts. 4. Rotate session tokens frequently and invalidate tokens exposed in URLs to minimize the window of exploitation. 5. If possible, isolate affected devices within segmented network zones with limited exposure to untrusted networks. 6. Engage with the vendor (MBS) to obtain patches or firmware updates addressing this vulnerability. 7. Educate administrators on the risks of exposing session tokens in URLs and enforce secure session management practices. 8. Consider deploying web application firewalls (WAFs) or intrusion detection systems (IDS) with custom rules to detect and block attempts to exploit this vulnerability.