HIGH🇬🇧 English

CVE-2025-27853

CVSS 7.3pub. 2026-05-13upd. 2026-06-02

The locally served web site on the Garmin WDU (v1 1.4.6 and v2 5.0) allows its authentication to be bypassed. The WDU web site only performs authentication with the client within the client's browser. The WebSockets used to communicate with the WDU server do not enforce any authentication. An attacker may bypass all authentication mechanisms by directly utilizing the remote APIs available on the websocket.

oryginał EN
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
  • Garmin Empirbus Wireless Display Unit

    HW
    Garmin
    v1v2
  • Garmin Empirbus Wireless Display Unit Firmware

    OS
    Garmin
    1.4.65.00
🔵
ZWERYFIKUJ U PRODUCENTA
Brak jednoznacznych danych o patchu. Sprawdź referencje od producenta.
CWE
Referencje

Powiązane podatności

CVE-2025-27851CRITICAL9.3PL ✓ten sam produkt

WebSocket Hijacking w Garmin WDU — przejęcie kontroli przez sieć

CVE-2025-27850HIGH7.5ten sam produkt

The locally served web site on the Garmin WDU (v1 1.4.6 and v2 5.0) allows a symlink attack. If a malicious gr...

CVE-2025-27852MEDIUM5.0ten sam produkt

The locally served web site on the Garmin WDU (v1 1.4.6 and v2 5.0) allows a reflected cross site scripting (X...

CVE-2023-23298CRITICAL9.8ten sam vendor

The `Toybox.Graphics.BufferedBitmap.initialize` API method in CIQ API version 2.3.0 through 4.1.7 does not val...

CVE-2023-23300CRITICAL9.8ten sam vendor

The `Toybox.Cryptography.Cipher.initialize` API method in CIQ API version 3.0.0 through 4.1.7 does not validat...