CVE-2025-41757:
Remote attacker can exploit UBR backup restore functionality to create or overwrite files with elevated privileges.
Score
A numerical rating that indicates how dangerous this vulnerability is.
8.8High- Published Date:Mar 9, 2026
- CISA KEV Date:*No Data*
- Industries Affected:20
Threat Predictions
- EPSS Score:0.1
- EPSS Percentile:25%
Exploitability
- Score:2.8
- Attack Vector:NETWORK
- Attack Complexity:LOW
- Privileges Required:LOW
- User Interaction:NONE
- Scope:UNCHANGED
Impact
- Score:5.9
- Confidentiality Impact:HIGH
- Integrity Impact:HIGH
- Availability Impact:HIGH
Description Preview
Remote attacker can exploit UBR backup restore functionality to create or overwrite files with elevated privileges.
Overview
The vulnerability (CVE-2025-41757) affects MBS Solutions' Universal BACnet Router firmware versions prior to 6.0.1.0. It has been assigned a CVSS v3.1 base score of 8.8 (High severity). The vulnerability is classified as CWE-22, which typically refers to improper limitation of a pathname to a restricted directory ('Path Traversal'). The attack vector is network-based, requires low attack complexity, low privileges, and no user interaction. If successfully exploited, it can have high impacts on confidentiality, integrity, and availability of the affected system.
Remediation
- To mitigate this vulnerability, users should update their Universal BACnet Router firmware to version 6.0.1.0 or later. If immediate updating is not possible, it is recommended to restrict network access to the affected systems, particularly the backup restore functionality. Additionally, monitoring for unusual file system activities or unauthorized changes to system files can help detect potential exploitation attempts. As always, following the principle of least privilege and implementing strong access controls can help minimize the risk of exploitation.
References
Industries Affected
Below is a list of industries most commonly impacted or potentially at risk based on intelligence.
