UBR's wwwupdate.cgi endpoint leaks session tokens in URLs

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

7.5

UBR's wwwupdate.cgi endpoint leaks session tokens in URLs

CVE-2025-41772

Summary

An attacker can access sensitive information without logging in because session tokens are visible in URL links. This could allow unauthorized access to user accounts and data. Update UBR to remove or protect these tokens from being exposed in URLs.

What to do

No fix is available yet. Check with your software vendor for updates.

Affected software

Vendor	Product	Affected versions	Fix available
mbs-solutions	universal_bacnet_router_firmware	<= 6.0.1.0	–

Original title

An unauthenticated remote attacker can obtain valid session tokens because they are exposed in plaintext within the URL parameters of the wwwupdate.cgi endpoint in UBR.

Original description

An unauthenticated remote attacker can obtain valid session tokens because they are exposed in plaintext within the URL parameters of the wwwupdate.cgi endpoint in UBR.

nvd CVSS3.1 7.5

Vulnerability type

CWE-598

https://www.mbs-solutions.de/mbs-2025-0001

Published: 9 Mar 2026 · Updated: 13 Mar 2026 · First seen: 9 Mar 2026