CVE-2025-27853

EUVD-2025-209831
The locally served web site on the Garmin WDU (v1 1.4.6 and v2 5.0) allows its authentication to be bypassed. The WDU web site only performs authentication with the client within the client's browser. The WebSockets used to communicate with the WDU server do not enforce any authentication. An attacker may bypass all authentication mechanisms by directly utilizing the remote APIs available on the websocket.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.3 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Base Score
CVSS 3.x
EPSS Score
Percentile: 21%
Affected Products (NVD)
VendorProductVersion
garminempirbus_wireless_display_unit_firmware
1.4.6
garminempirbus_wireless_display_unit_firmware
5.00
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://garmin.com
https://www8.garmin.com/support/ch.jsp?product=010-02642-00