Primary

Context

MBS Universal BACnet Router Session Token Exposure Vulnerability in wwwupdate.cgi

Vulnerability

A vulnerability exists in the MBS Universal BACnet Router's web interface, specifically within the wwwupdate.cgi endpoint. Unauthenticated remote attackers can access valid session tokens, which are transmitted in plaintext via URL parameters. This exposure increases the risk of session token interception, potentially allowing unauthorized access to user accounts. The vulnerability affects all UBR firmware versions prior to 6.0.1.0.

Impact

The exposure of session tokens in URLs can lead to unauthorized access by allowing attackers to hijack user sessions. This is particularly concerning as session tokens on this device do not expire, creating a persistent vulnerability.

Remediation

Users are advised to update to the latest UBR firmware version 6.0.1.0, which addresses this vulnerability. For more details, please check the release notes on the MBS Solutions website.

Added: Mar 9, 2026, 9:22 AM

Updated: Mar 9, 2026, 9:22 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.3

exploitability

6.4

remediation

0.0

relevance

3.7

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.3

exploitability

6.4

remediation

0.0

relevance

3.7

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

MBS Universal BACnet Router Session Token Exposure Vulnerability in wwwupdate.cgi

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating