Description
The locally served web site on the Garmin WDU (v1 1.4.6 and v2 5.0) allows a reflected cross site scripting (XSS) attack. This allows an attacker on the local network segment to execute arbitrary JavaScript code within the context of the WDU webpage. Full administrator level access to the device is possible. To initiate an exploit of this vulnerability, the victim must execute two actions: (1) view a specific URL served by the WDU, and (2) click an element on the rendered page.
Published: 2026-05-13
Score: 5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The device’s locally served web interface hosts a reflected cross‑site scripting flaw. When an attacker on the same local network loads a specially crafted URL and a user clicks an element, the browser runs attacker‑supplied JavaScript in the context of the WDU webpage. Because the page runs with full administrator privileges on the device, the injected script can obtain complete control of the unit, including the ability to read and modify configuration, exfiltrate data, or disrupt functionality. The weakness is a classic reflected XSS (CWE‑79).

Affected Systems

The vulnerability affects Garmin Wireless Data Unit firmware versions 1.4.6 and 5.0. No other vendors or products are listed.

Risk and Exploitability

The CVSS score of 5 indicates moderate risk, and the EPSS score of <1% suggests a low likelihood of exploitation in the near term. The issue is not listed in CISA’s KEV catalog, yet the risk to any customer using the listed firmware is high because the flaw gives full administrative access. Exploitation requires that the victim view a specific URL and then click an element, so it needs user interaction; however, an authenticated user or anyone with local network access could trigger the attack. No publicly documented exploits exist yet, yet the risk to any customer using the listed firmware is high because the flaw gives full administrative access.

Generated by OpenCVE AI on May 14, 2026 at 14:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Garmin WDU firmware update that contains the fix for the XSS flaw.
  • Restrict access to the WDU web interface to trusted devices only, using network segmentation or firewall rules to block untrusted local‑network traffic.
  • If the web interface is not required, disable or remove it from the device configuration.
  • Monitor device logs for anomalous page views or administrative actions that may indicate exploitation attempts.

Generated by OpenCVE AI on May 14, 2026 at 14:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 02 Jun 2026 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Garmin empirbus Wireless Display Unit
Garmin empirbus Wireless Display Unit Firmware
CPEs cpe:2.3:h:garmin:empirbus_wireless_display_unit:v1:*:*:*:*:*:*:*
cpe:2.3:h:garmin:empirbus_wireless_display_unit:v2:*:*:*:*:*:*:*
cpe:2.3:o:garmin:empirbus_wireless_display_unit_firmware:1.4.6:*:*:*:*:*:*:*
cpe:2.3:o:garmin:empirbus_wireless_display_unit_firmware:5.00:*:*:*:*:*:*:*
Vendors & Products Garmin empirbus Wireless Display Unit
Garmin empirbus Wireless Display Unit Firmware

Thu, 14 May 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Garmin
Garmin wdu
Vendors & Products Garmin
Garmin wdu

Thu, 14 May 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 13 May 2026 21:45:00 +0000

Type Values Removed Values Added
Title Local XSS in Garmin WDU Allows Full Admin Access
Weaknesses CWE-79

Wed, 13 May 2026 20:30:00 +0000

Type Values Removed Values Added
Description The locally served web site on the Garmin WDU (v1 1.4.6 and v2 5.0) allows a reflected cross site scripting (XSS) attack. This allows an attacker on the local network segment to execute arbitrary JavaScript code within the context of the WDU webpage. Full administrator level access to the device is possible. To initiate an exploit of this vulnerability, the victim must execute two actions: (1) view a specific URL served by the WDU, and (2) click an element on the rendered page.
References

Subscriptions

Garmin Empirbus Wireless Display Unit Empirbus Wireless Display Unit Firmware Wdu
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-14T12:30:12.604Z

Reserved: 2025-03-09T00:00:00.000Z

Link: CVE-2025-27852

cve-icon Vulnrichment

Updated: 2026-05-14T12:30:06.031Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-13T21:16:41.350

Modified: 2026-06-02T19:02:07.770

Link: CVE-2025-27852

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T15:00:12Z

Weaknesses