CVE-2025-41772

Summary

An unauthenticated remote attacker can obtain valid session tokens because they are exposed in plaintext within the URL parameters of the wwwupdate.cgi endpoint in UBR.

Affected Software

VendorProductVersion RangeStatus
MBSUBR-01 Mk II0.0.0 < 6.0.1.0affected
MBSUBR-020.0.0 < 6.0.1.0affected
MBSUBR-LON0.0.0 < 6.0.1.0affected

Weaknesses

  • CWE-598: CWE-598 Use of GET Request Method With Sensitive Query Strings

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References