Universal bacnet router firmware Vulnerabilities

An attacker can steal valid session tokens from the universal BACnet router firmware because these tokens are visible in the web address used to access the device's update page. This can be done remotely and without needing to log in, making it easy for anyone to exploit if they know the URL.

An attacker can take complete control of the universal BACnet router by exploiting a flaw in its web interface that allows them to bypass security checks when updating the device. This can be done remotely, meaning the attacker doesn't need physical access to the device, making it a serious risk.

This vulnerability allows a low-privileged remote attacker to take complete control of a device by sending a specially crafted HTTP POST request. The attacker only needs network access to the device to exploit this weakness, making it a serious risk for systems using this firmware.

An attacker can exploit a flaw in the universal BACnet router firmware to upload and apply any type of data, such as malicious files or sensitive configuration settings, without proper authorization. This can happen remotely through a specific web endpoint, meaning the attacker doesn’t need physical access to the device.

An attacker can remotely upload and install malicious updates on the universal BACnet router firmware because the system does not properly check if they are authorized to do so. This means that anyone with access to the specific update endpoint can take control of the device without needing any special permissions.

This vulnerability allows a low-privileged remote attacker to download sensitive files, such as system backups and certificate requests, from the device. The attacker can exploit this by accessing a specific web endpoint without needing high-level permissions.

An attacker can exploit a weakness in the backup process of the universal BACnet router firmware to access sensitive information, such as password hashes and certificates, without needing to log in. This vulnerability occurs because the backup files are protected by a weak hash, making it easier for unauthorized users to retrieve the data.

This vulnerability allows a low-privileged attacker who can access the UBR service account to gain full control of the system by using certain commands with elevated permissions. The attacker typically needs to access the system through methods like SSH to exploit this weakness.

This vulnerability allows an attacker to bypass security measures by sending any network traffic through the universal BACnet router, even if an administrator tries to block it with an empty filter list. The issue arises because the router does not enforce restrictions when the filter is empty, meaning no special conditions are needed for an attacker to exploit this flaw.

This vulnerability allows an attacker to bypass network blocking controls by using unsupported identifiers like "*" or "all," which are incorrectly interpreted as allowing all networks instead of blocking them. For this to happen, an administrator must mistakenly configure the router with these values, thinking they are securing the network.

This vulnerability allows a remote attacker with low privileges to overwrite any file on the device, potentially taking full control of the system. It exploits a flaw in the wwupload.cgi endpoint, which means the attacker can manipulate file paths to access and change critical files.

An attacker with low-level access can exploit a flaw in the backup restore feature of the universal BACnet router firmware to create or overwrite any files on the system, potentially taking full control. This can happen without proper checks on the backup files, making it easy for the attacker to manipulate the system.

A low-level attacker can use a hidden API to write any file they want on the system, potentially allowing them to take control or disrupt operations. This vulnerability can be exploited remotely without needing special access, making it particularly dangerous.

An attacker can remotely read any file on the system by exploiting a flaw in the universal BACnet router firmware, as the software does not properly check the file names provided by the attacker. This requires the attacker to have low-level access, but they can manipulate a specific method to access sensitive information stored in files.

This vulnerability allows a low-privileged remote attacker to read any file on the system by exploiting an unused API endpoint in the firmware of the universal BACnet router. The attacker only needs access to this specific method, which is not properly documented or secured.