Description
The locally served web site on the Garmin WDU (v1 1.4.6 and v2 5.0) allows a cross-site origin WebSocket hijacking attack. Among other uses, the WDU utilizes WebSockets to control settings, including administrative settings. This allows a network attacker to take full control of a WDU. To initiate an exploit of this vulnerability, the victim must (1) be utilizing a web browser on a multihomed host that has local interfaces on the Garmin Marine Network as well as another network, and (2) access a malicious third party website created by the attacker.
Published: 2026-05-13
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Garmin WDU web interface serves a locally hosted site that uses WebSockets to control both normal and administrative settings. A flaw in the origin validation allows a cross‑site origin WebSocket hijacking attack. If an attacker can get a user to visit a malicious site while the user’s browser is on the Garmin Marine Network, the attacker can hijack the WebSocket connection and issue commands that give full control over the WDU.

Affected Systems

Garmin WDU version 1 (1.4.6) and version 2 (5.0) are affected. No other vendors or products are known from the CNA data. Systems running these firmware versions that expose the web interface are at risk.

Risk and Exploitability

EPSS score is < 1% and the vulnerability is not listed in CISA’s KEV catalog, so there is no public data on active exploitation. The attack path requires the victim to be using a browser on a multihomed host that has interfaces on both the Garmin network and another network, and to navigate to a malicious website that initiates the WebSocket hijack. Attackers would therefore need user interaction, making the likelihood moderate. Nonetheless, the impact is high: a successful exploit provides administrative control over the device, potentially allowing unauthorized configuration changes or data exfiltration. The CVSS score is 9.3, indicating high severity.

Generated by OpenCVE AI on May 14, 2026 at 20:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply Garmin firmware update that fixes the WebSocket origin validation flaw, preventing cross‑site hijacking.
  • Enforce strict WebSocket origin checks or disable cross‑origin connections, ensuring only trusted origins can connect.
  • Implement CSRF protection for administrative WebSocket commands, such as using anti‑CSRF tokens (CWE‑352), to prevent unauthorized command execution.
  • Restrict public access to the WDU web interface, limiting it to trusted internal networks only.
  • Implement network segmentation so that clients cannot access external malicious sites while connected to the Garmin network, thereby preventing hijack initiation.

Generated by OpenCVE AI on May 14, 2026 at 20:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 02 Jun 2026 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Garmin empirbus Wireless Display Unit
Garmin empirbus Wireless Display Unit Firmware
CPEs cpe:2.3:h:garmin:empirbus_wireless_display_unit:v1:*:*:*:*:*:*:*
cpe:2.3:h:garmin:empirbus_wireless_display_unit:v2:*:*:*:*:*:*:*
cpe:2.3:o:garmin:empirbus_wireless_display_unit_firmware:1.4.6:*:*:*:*:*:*:*
cpe:2.3:o:garmin:empirbus_wireless_display_unit_firmware:5.00:*:*:*:*:*:*:*
Vendors & Products Garmin empirbus Wireless Display Unit
Garmin empirbus Wireless Display Unit Firmware

Thu, 14 May 2026 21:00:00 +0000

Type Values Removed Values Added
Title Cross‑Site WebSocket Hijacking in Garmin WDU Firmware

Thu, 14 May 2026 19:00:00 +0000

Type Values Removed Values Added
Title WebSocket Hijacking Exploit Enables Full Control of Garmin WDU
Weaknesses CWE-1030
CWE-307

Thu, 14 May 2026 16:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-352
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 14 May 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Garmin
Garmin wdu
Vendors & Products Garmin
Garmin wdu

Wed, 13 May 2026 21:45:00 +0000

Type Values Removed Values Added
Title WebSocket Hijacking Exploit Enables Full Control of Garmin WDU
Weaknesses CWE-1030
CWE-307

Wed, 13 May 2026 20:30:00 +0000

Type Values Removed Values Added
Description The locally served web site on the Garmin WDU (v1 1.4.6 and v2 5.0) allows a cross-site origin WebSocket hijacking attack. Among other uses, the WDU utilizes WebSockets to control settings, including administrative settings. This allows a network attacker to take full control of a WDU. To initiate an exploit of this vulnerability, the victim must (1) be utilizing a web browser on a multihomed host that has local interfaces on the Garmin Marine Network as well as another network, and (2) access a malicious third party website created by the attacker.
References

Subscriptions

Garmin Empirbus Wireless Display Unit Empirbus Wireless Display Unit Firmware Wdu
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-14T15:35:05.024Z

Reserved: 2025-03-09T00:00:00.000Z

Link: CVE-2025-27851

cve-icon Vulnrichment

Updated: 2026-05-14T15:34:08.882Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-13T21:16:41.233

Modified: 2026-06-02T19:04:03.550

Link: CVE-2025-27851

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T20:45:28Z

Weaknesses