Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.1
Unauthorized uploads can modify web server settings and data
CVE-2025-41765
Summary
An attacker can upload sensitive files, such as security certificates, through the web upload feature, potentially compromising the security and integrity of the web server. This could lead to unauthorized access or data tampering. To fix, ensure that only authorized users can access the wwwupload.cgi endpoint.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| mbs-solutions | universal_bacnet_router_firmware | <= 6.0.1.0 | – |
Original title
Due to insufficient authorization enforcement, an unauthorized remote attacker can exploit the wwwupload.cgi endpoint to upload and apply arbitrary data. This includes, but is not limited to, conta...
Original description
Due to insufficient authorization enforcement, an unauthorized remote attacker can exploit the wwwupload.cgi endpoint to upload and apply arbitrary data. This includes, but is not limited to, contact images, HTTPS certificates, system backups for restoration, server peer configurations, and BACnet/SC server certificates and keys.
nvd CVSS3.1
9.1
Vulnerability type
CWE-862
Missing Authorization
Published: 9 Mar 2026 · Updated: 13 Mar 2026 · First seen: 9 Mar 2026