Primary

Context

MBS Universal BACnet Router UBR Web Interface Unchecked Role Vulnerability in wwwdnload.cgi Endpoint

Vulnerability

A vulnerability exists in the MBS Universal BACnet Router UBR web interface, specifically within the wwwdnload.cgi endpoint. This issue allows low-privileged remote attackers to download resources intended for administrators, such as system backups and certificate request files. The vulnerability arises because the endpoint only verifies the existence of a session, without checking the associated user role, enabling unauthorized access to sensitive information.

Impact

Exploitation of this vulnerability leads to unauthorized access to sensitive information, including web interface password hashes and private keys for HTTPS and BACnet/SC services, which could be used to impersonate the device.

Remediation

Users are advised to update to the latest UBR firmware version 6.0.1.0, which addresses this vulnerability. For more details, please check the release notes on the MBS Solutions website.

Added: Mar 9, 2026, 9:24 AM

Updated: Mar 9, 2026, 9:24 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

5.2

remediation

0.0

relevance

3.7

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

5.2

remediation

0.0

relevance

3.7

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

MBS Universal BACnet Router UBR Web Interface Unchecked Role Vulnerability in wwwdnload.cgi Endpoint

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating