MBS Universal BACnet Router Arbitrary File Write Vulnerability in wwwubr.cgi

A vulnerability exists in the MBS Universal BACnet Router's web interface, specifically within an undocumented API endpoint called wwwubr.cgi. The 'ubr-editfile' method allows low-privileged remote attackers to write arbitrary files to the system. This vulnerability is present in both the 32 MB and 64 MB RAM firmware versions. The issue arises because the 'ubr-editfile' method, likely a leftover from an older version, is unused and undocumented, yet it remains accessible for exploitation.

Impact

Exploitation of this vulnerability gives attackers full control over the file system. They can overwrite any file, replace existing scripts with malicious ones that will be executed, change passwords for web interface and SSH accounts, modify various configuration files, and manipulate network filters.

Remediation

Users are advised to update to the new firmware version V6.0.1.0 for the Universal BACnet Router. This update is available for both the 32 MB and 64 MB RAM versions. For more details, please check the release notes on the MBS Solutions website.