Apache HTTP Server: Unauthenticated File Writing in Unused API Endpoint

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

8.1

Apache HTTP Server: Unauthenticated File Writing in Unused API Endpoint

CVE-2025-41756

Summary

An attacker can write arbitrary files on the system without a password, which could allow them to delete or modify important system files. This is a concern because it could lead to a complete system compromise. To mitigate this risk, update or remove the unused API endpoint.

What to do

No fix is available yet. Check with your software vendor for updates.

Affected software

Vendor	Product	Affected versions	Fix available
mbs-solutions	universal_bacnet_router_firmware	<= 6.0.1.0	–

Original title

A low-privileged remote attacker can exploit the ubr-editfile method in wwwubr.cgi, an undocumented and unused API endpoint to write arbitrary files on the system.

Original description

A low-privileged remote attacker can exploit the ubr-editfile method in wwwubr.cgi, an undocumented and unused API endpoint to write arbitrary files on the system.

nvd CVSS3.1 8.1

Vulnerability type

CWE-1242

https://www.mbs-solutions.de/mbs-2025-0001

Published: 9 Mar 2026 · Updated: 13 Mar 2026 · First seen: 9 Mar 2026