Apache HTTP Server: Arbitrary File Access via Unsecured API Endpoint

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

6.5

Apache HTTP Server: Arbitrary File Access via Unsecured API Endpoint

CVE-2025-41754

Summary

An outdated API in the Apache HTTP Server software allows unauthorized access to sensitive files. This could allow an attacker to access confidential data. To protect against this, ensure all unused API endpoints are disabled or removed.

What to do

No fix is available yet. Check with your software vendor for updates.

Affected software

Vendor	Product	Affected versions	Fix available
mbs-solutions	universal_bacnet_router_firmware	<= 6.0.1.0	–

Original title

A low-privileged remote attacker can exploit the ubr-editfile method in wwwubr.cgi, an undocumented and unused API endpoint to read arbitrary files on the system.

Original description

A low-privileged remote attacker can exploit the ubr-editfile method in wwwubr.cgi, an undocumented and unused API endpoint to read arbitrary files on the system.

nvd CVSS3.1 6.5

Vulnerability type

CWE-1242

https://www.mbs-solutions.de/mbs-2025-0001

Published: 9 Mar 2026 · Updated: 13 Mar 2026 · First seen: 9 Mar 2026