Description
The locally served web site on the Garmin WDU (v1 1.4.6 and v2 5.0) allows a symlink attack. If a malicious graphics package containing symlinks is uploaded, the web server follows the supplied links when serving content. No mechanisms to restrict those link targets to a specific area of the filesystem is enabled. This allows an attacker to retrieve arbitrary files from the device.
Published: 2026-05-13
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in Garmin’s local web server component, known as Garmin WDU, which improperly handles symbolic links in uploaded graphics packages. An attacker can upload a malicious package containing symlinks that point to any file on the device. When the server processes the upload, it follows those links and serves the target contents. Because the server does not enforce a sandbox or restrict link targets, this behavior lets the attacker read any file that the web server process can access, exposing configuration files, stored credentials, or other sensitive data. The flaw is a classic file‑system disclosure vulnerability and does not directly enable remote code execution, but the exposed data could undermine device security and privacy.

Affected Systems

The flaw is present in Garmin WDU firmware versions 1.4.6 (v1) and 5.0 (v2). These versions are used in a range of Garmin devices that include a local web interface for managing graphics or content. No other vendors or product variations are indicated in the CNA data. If a device is still running either of these firmware versions, it is susceptible to this file‑disclosure attack.

Risk and Exploitability

A CVSS score of 7.5 indicates high severity, and the EPSS score is less than 1%, suggesting a low but non‑zero exploitation probability. Because the vulnerability requires the attacker to have network access to the device’s local web interface and the ability to upload a graphics package, the attack vector is likely local or within an unsecured local network. Nonetheless, the potential impact of leaking arbitrary files is significant for confidentiality and could facilitate further attacks or reveal user data. The vulnerability is not listed in CISA’s KEV catalog, but it remains a noteworthy information‑disclosure risk for devices running the affected firmware.

Generated by OpenCVE AI on May 14, 2026 at 20:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Identify the firmware version on the Garmin device and confirm if it matches the vulnerable releases (1.4.6 or 5.0).
  • Contact Garmin support or consult their technical documentation to obtain a firmware update that removes the symlink follow behavior or otherwise restricts file uploads to safe directories.
  • If a firmware update is unavailable, configure the device’s web server (if configuration is possible) to disallow uploads containing symbolic links or to prevent serving files outside the designated graphics directory; if not feasible, disable the web interface or restrict network access to the device.

Generated by OpenCVE AI on May 14, 2026 at 20:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 02 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Garmin empirbus Wireless Display Unit
Garmin empirbus Wireless Display Unit Firmware
CPEs cpe:2.3:h:garmin:empirbus_wireless_display_unit:v1:*:*:*:*:*:*:*
cpe:2.3:h:garmin:empirbus_wireless_display_unit:v2:*:*:*:*:*:*:*
cpe:2.3:o:garmin:empirbus_wireless_display_unit_firmware:1.4.6:*:*:*:*:*:*:*
cpe:2.3:o:garmin:empirbus_wireless_display_unit_firmware:5.00:*:*:*:*:*:*:*
Vendors & Products Garmin empirbus Wireless Display Unit
Garmin empirbus Wireless Display Unit Firmware

Sun, 17 May 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Garmin
Garmin wdu
Vendors & Products Garmin
Garmin wdu

Thu, 14 May 2026 21:00:00 +0000

Type Values Removed Values Added
Title Symlink File Disclosure in Garmin WDU Firmware via Malicious Graphics Package

Thu, 14 May 2026 19:00:00 +0000

Type Values Removed Values Added
Title Arbitrary File Disclosure via Symlink Attack on Garmin WDU Local Web Server
Weaknesses CWE-22

Thu, 14 May 2026 16:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-59
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 13 May 2026 21:45:00 +0000

Type Values Removed Values Added
Title Arbitrary File Disclosure via Symlink Attack on Garmin WDU Local Web Server
Weaknesses CWE-22

Wed, 13 May 2026 20:30:00 +0000

Type Values Removed Values Added
Description The locally served web site on the Garmin WDU (v1 1.4.6 and v2 5.0) allows a symlink attack. If a malicious graphics package containing symlinks is uploaded, the web server follows the supplied links when serving content. No mechanisms to restrict those link targets to a specific area of the filesystem is enabled. This allows an attacker to retrieve arbitrary files from the device.
References

Subscriptions

Garmin Empirbus Wireless Display Unit Empirbus Wireless Display Unit Firmware Wdu
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-14T15:38:30.029Z

Reserved: 2025-03-09T00:00:00.000Z

Link: CVE-2025-27850

cve-icon Vulnrichment

Updated: 2026-05-14T15:36:05.666Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-13T21:16:41.100

Modified: 2026-06-02T18:49:39.883

Link: CVE-2025-27850

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-17T19:42:06Z

Weaknesses