A low-privileged remote attacker can exploit the ubr-editfile method in wwwubr.cgi, an undocumented and unused API endpoint to read arbitra…
A low-privileged remote attacker can exploit the ubr-editfile method in wwwubr.cgi, an undocumented and unused API endpoint to read arbitrary files on the system.
The device includes chicken bits or undocumented features that can create entry points for unauthorized actors.
https://cwe.mitre.org/data/definitions/1242.html →Open in CWE collection →An adversary searches for and invokes interfaces or functionality that the target system designers did not intend to be publicly available. If interfaces fail to authenticate requests, the attacker may be able to invoke functionality they are not authorized for.
https://capec.mitre.org/data/definitions/36.html →Open in CAPEC collection →An adversary leverages a legitimate capability of an application in such a way as to achieve a negative technical impact. The system functionality is not altered or modified but used in a way that was not intended. This is often accomplished through the overuse of a specific functionality or by leveraging functionality with design flaws that enables the adversary to gain access to unauthorized, sensitive data.
https://capec.mitre.org/data/definitions/212.html →Open in CAPEC collection →| Product | Vendor | Status |
|---|---|---|
| universal_bacnet_router_firmware | * | Tracked |