{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-41761", "assignerOrgId": "270ccfa6-a436-4e77-922e-914ec3a9685c", "state": "PUBLISHED", "assignerShortName": "CERTVDE", "dateReserved": "2025-04-16T11:18:45.760Z", "datePublished": "2026-03-09T08:17:11.116Z", "dateUpdated": "2026-03-09T20:14:04.600Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "UBR-01 Mk II", "vendor": "MBS", "versions": [{"lessThan": "6.0.1.0", "status": "affected", "version": "0.0.0", "versionType": "semver"}]}, {"defaultStatus": "unaffected", "product": "UBR-02", "vendor": "MBS", "versions": [{"lessThan": "6.0.1.0", "status": "affected", "version": "0.0.0", "versionType": "semver"}]}, {"defaultStatus": "unaffected", "product": "UBR-LON", "vendor": "MBS", "versions": [{"lessThan": "6.0.1.0", "status": "affected", "version": "0.0.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Adrien Rey from Cyber Defense Campus Zurich"}, {"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Daniel Hulliger from Armasuisse"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "A low\u2011privileged local attacker who gains access to the UBR service account (e.g., via SSH) can escalate privileges to obtain full system access. This is due to the service account being permitted to execute certain binaries (e.g., tcpdump and ip) with sudo.<br>"}], "value": "A low\u2011privileged local attacker who gains access to the UBR service account (e.g., via SSH) can escalate privileges to obtain full system access. This is due to the service account being permitted to execute certain binaries (e.g., tcpdump and ip) with sudo."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-88", "description": "CWE-88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "270ccfa6-a436-4e77-922e-914ec3a9685c", "shortName": "CERTVDE", "dateUpdated": "2026-03-09T08:17:11.116Z"}, "references": [{"url": "https://www.mbs-solutions.de/mbs-2025-0001"}], "source": {"defect": ["CERT@VDE#641895"], "discovery": "UNKNOWN"}, "title": "Privilege escalation possible", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-41761", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-09T20:02:37.352857Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T20:14:04.600Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-41761", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-09T20:02:37.352857Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T20:04:15.345Z"}}], "cna": {"title": "Privilege escalation possible", "source": {"defect": ["CERT@VDE#641895"], "discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Adrien Rey from Cyber Defense Campus Zurich"}, {"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Daniel Hulliger from Armasuisse"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "MBS", "product": "UBR-01 Mk II", "versions": [{"status": "affected", "version": "0.0.0", "lessThan": "6.0.1.0", "versionType": "semver"}], "defaultStatus": "unaffected"}, {"vendor": "MBS", "product": "UBR-02", "versions": [{"status": "affected", "version": "0.0.0", "lessThan": "6.0.1.0", "versionType": "semver"}], "defaultStatus": "unaffected"}, {"vendor": "MBS", "product": "UBR-LON", "versions": [{"status": "affected", "version": "0.0.0", "lessThan": "6.0.1.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://www.mbs-solutions.de/mbs-2025-0001"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "A low\u2011privileged local attacker who gains access to the UBR service account (e.g., via SSH) can escalate privileges to obtain full system access. This is due to the service account being permitted to execute certain binaries (e.g., tcpdump and ip) with sudo.", "supportingMedia": [{"type": "text/html", "value": "A low\u2011privileged local attacker who gains access to the UBR service account (e.g., via SSH) can escalate privileges to obtain full system access. This is due to the service account being permitted to execute certain binaries (e.g., tcpdump and ip) with sudo.<br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-88", "description": "CWE-88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')"}]}], "providerMetadata": {"orgId": "270ccfa6-a436-4e77-922e-914ec3a9685c", "shortName": "CERTVDE", "dateUpdated": "2026-03-09T08:17:11.116Z"}}}, "cveMetadata": {"cveId": "CVE-2025-41761", "state": "PUBLISHED", "dateUpdated": "2026-03-09T20:14:04.600Z", "dateReserved": "2025-04-16T11:18:45.760Z", "assignerOrgId": "270ccfa6-a436-4e77-922e-914ec3a9685c", "datePublished": "2026-03-09T08:17:11.116Z", "assignerShortName": "CERTVDE"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:mbs-solutions:universal_bacnet_router_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "D4E2B246-5465-41DB-BD9A-1533A7508790", "versionEndExcluding": "6.0.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:mbs-solutions:ubr-01_mk_ii:-:*:*:*:*:*:*:*", "matchCriteriaId": "0D812069-6738-4B82-992B-09BB239783AB", "vulnerable": false}, {"criteria": "cpe:2.3:h:mbs-solutions:ubr-02:-:*:*:*:*:*:*:*", "matchCriteriaId": "B21413DE-E1FA-4B5C-A415-F8E70D7090BF", "vulnerable": false}, {"criteria": "cpe:2.3:h:mbs-solutions:ubr-lon:-:*:*:*:*:*:*:*", "matchCriteriaId": "E0C67EAC-C633-4037-B2C4-965455FFF2A0", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A low\u2011privileged local attacker who gains access to the UBR service account (e.g., via SSH) can escalate privileges to obtain full system access. This is due to the service account being permitted to execute certain binaries (e.g., tcpdump and ip) with sudo."}, {"lang": "es", "value": "Un atacante local con pocos privilegios que obtiene acceso a la cuenta de servicio UBR (p. ej., a trav\u00e9s de SSH) puede escalar privilegios para obtener acceso completo al sistema. Esto se debe a que a la cuenta de servicio se le permite ejecutar ciertos binarios (p. ej., tcpdump e ip) con sudo."}], "id": "CVE-2025-41761", "lastModified": "2026-03-11T18:27:21.243", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "info@cert.vde.com", "type": "Primary"}]}, "published": "2026-03-09T09:16:00.263", "references": [{"source": "info@cert.vde.com", "tags": ["Vendor Advisory"], "url": "https://www.mbs-solutions.de/mbs-2025-0001"}], "sourceIdentifier": "info@cert.vde.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-88"}], "source": "info@cert.vde.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.0.0,6.0.1.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "UBR-01 Mk II", "source": "cna", "vendor": "MBS"}, "product": "ubr-01_mk_ii", "vendor": "mbs"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.0.0,6.0.1.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "UBR-02", "source": "cna", "vendor": "MBS"}, "product": "ubr-02", "vendor": "mbs"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.0.0,6.0.1.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "UBR-LON", "source": "cna", "vendor": "MBS"}, "product": "ubr-lon", "vendor": "mbs"}], "created": "2026-03-10T14:10:05.427166+00:00", "updated": "2026-03-10T14:10:05.427301+00:00", "vendors": ["mbs", "mbs$PRODUCT$ubr-01_mk_ii", "mbs$PRODUCT$ubr-02", "mbs$PRODUCT$ubr-lon"]}