CVE-2025-41761 – A local privilege escalation vulnerability allo... (How to Fix)

Q: What is the severity of CVE-2025-41761?

CVE-2025-41761 has a CVSS score of 7.8 (HIGH). A local privilege escalation vulnerability allows low-privileged attackers with access to the UBR service account to gain full system control. This occurs because the service account can execute privileged binaries like tcpdump and ip via sudo. Systems using UBR service accounts with sudo permissions for these binaries are affected.

📋 TL;DR

A local privilege escalation vulnerability allows low-privileged attackers with access to the UBR service account to gain full system control. This occurs because the service account can execute privileged binaries like tcpdump and ip via sudo. Systems using UBR service accounts with sudo permissions for these binaries are affected.

💻 Affected Systems

Products:

UBR service

Versions: Unknown specific versions - check vendor advisory

Operating Systems: Linux systems with UBR service

Default Config Vulnerable: ⚠️ Yes

Notes: Systems where UBR service account has sudo permissions for tcpdump, ip, or similar binaries are vulnerable.

📦 What is this software?

Universal Bacnet Router Firmware by Mbs Solutions

View all CVEs affecting Universal Bacnet Router Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with root access, allowing complete control over the system, data theft, persistence, and lateral movement.

🟠

Likely Case

Privilege escalation to root by local attackers who have already gained UBR service account access, leading to system manipulation and data access.

🟢

If Mitigated

Limited impact if sudo permissions are properly restricted and service account access is controlled.

🌐 Internet-Facing: LOW - This is a local privilege escalation requiring initial access to the service account.

🏢 Internal Only: HIGH - Internal attackers or compromised service accounts can exploit this to gain full system control.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires initial access to UBR service account, then simple sudo command execution.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.mbs-solutions.de/mbs-2025-0001

Restart Required: No

Instructions:

1. Check vendor advisory for patches. 2. Apply security updates if available. 3. Review sudo permissions for UBR service account.

🔧 Temporary Workarounds

Restrict sudo permissions

linux

Remove or restrict sudo permissions for the UBR service account to prevent privilege escalation.

sudo visudo
# Remove or modify lines granting UBR service account sudo access to tcpdump, ip, etc.

Implement least privilege

linux

Ensure UBR service account only has necessary permissions and cannot execute privileged binaries.

sudo usermod -aG restricted_group ubr_service_account
# Configure appropriate group permissions

🧯 If You Can't Patch

Remove sudo permissions for UBR service account from /etc/sudoers or /etc/sudoers.d/
Implement strict access controls and monitoring for UBR service account activities

🔍 How to Verify

Check if Vulnerable:

Check sudo permissions for UBR service account: sudo -l -U ubr_service_account

Check Version:

Check UBR service version via package manager or vendor documentation

Verify Fix Applied:

Verify sudo permissions are removed: sudo -l -U ubr_service_account should show no dangerous privileges

📡 Detection & Monitoring

Log Indicators:

sudo command execution by UBR service account
unusual privilege escalation attempts

Network Indicators:

None - local exploitation only

SIEM Query:

source="sudo" AND user="ubr_service_account" AND command IN ("tcpdump", "ip")

📊 Metadata

CVE ID: CVE-2025-41761

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-88

Published: March 9, 2026

Last Updated: March 11, 2026

🔗 References

https://www.mbs-solutions.de/mbs-2025-0001 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-41761, you might also want to check these: