Description
The locally served web site on the Garmin WDU (v1 1.4.6 and v2 5.0) allows its authentication to be bypassed. The WDU web site only performs authentication with the client within the client's browser. The WebSockets used to communicate with the WDU server do not enforce any authentication. An attacker may bypass all authentication mechanisms by directly utilizing the remote APIs available on the websocket.
Published: 2026-05-13
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Garmin WDU firmware versions 1.4.6 and 2 5.0 expose a local web interface that performs authentication only when access occurs within the client’s browser. The WebSocket endpoints used for device communication do not enforce any authentication, allowing an attacker to invoke the remote APIs directly. This flaw permits an authenticated state to be forged, granting unauthorized control over device functions that the API exposes, and represents an insufficient authentication weakness (CWE‑306).

Affected Systems

Vendors: Garmin. Products: Garmin WDU firmware 1.4.6 and 2 5.0. No other product or version information is listed in the current advisories.

Risk and Exploitability

The EPSS score of < 1 % indicates an extremely low probability of exploitation in the wild, and the vulnerability is not listed in CISA’s KEV catalog. The CVSS score of 7.3 classifies the flaw as high severity, with the potential for full device control if exploited. Based on the description, it is inferred that an attacker must have network access to the device’s locally served web service, typically from the same local network, to establish the WebSocket connection. No public exploits or detailed attack paths have been reported, but the lack of authentication on the API endpoints creates a clear risk of unauthorized operations.

Generated by OpenCVE AI on May 14, 2026 at 20:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to a Garmin WDU firmware release that authenticates all WebSocket API endpoints; if no recent firmware exists, block or disable the vulnerable WebSocket interface.
  • Restrict network access to the WDU’s web service using firewall rules or segmentation so that only trusted hosts can reach the service.
  • Configure the web interface to require authentication for all remote API calls, and disable remote API usage until the authentication enforcement fix is applied.

Generated by OpenCVE AI on May 14, 2026 at 20:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 02 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Garmin empirbus Wireless Display Unit
Garmin empirbus Wireless Display Unit Firmware
CPEs cpe:2.3:h:garmin:empirbus_wireless_display_unit:v1:*:*:*:*:*:*:*
cpe:2.3:h:garmin:empirbus_wireless_display_unit:v2:*:*:*:*:*:*:*
cpe:2.3:o:garmin:empirbus_wireless_display_unit_firmware:1.4.6:*:*:*:*:*:*:*
cpe:2.3:o:garmin:empirbus_wireless_display_unit_firmware:5.00:*:*:*:*:*:*:*
Vendors & Products Garmin empirbus Wireless Display Unit
Garmin empirbus Wireless Display Unit Firmware

Thu, 14 May 2026 21:00:00 +0000

Type Values Removed Values Added
Title Authentication Bypass in Garmin WDU WebSocket APIs

Thu, 14 May 2026 19:15:00 +0000

Type Values Removed Values Added
Title Authentication Bypass in Garmin WDU WebSocket APIs Allows Unauthorized Remote Control
Weaknesses CWE-285

Thu, 14 May 2026 16:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-306
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 May 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Garmin
Garmin wdu
Vendors & Products Garmin
Garmin wdu

Wed, 13 May 2026 21:45:00 +0000

Type Values Removed Values Added
Title Authentication Bypass in Garmin WDU WebSocket APIs Allows Unauthorized Remote Control
Weaknesses CWE-285

Wed, 13 May 2026 20:30:00 +0000

Type Values Removed Values Added
Description The locally served web site on the Garmin WDU (v1 1.4.6 and v2 5.0) allows its authentication to be bypassed. The WDU web site only performs authentication with the client within the client's browser. The WebSockets used to communicate with the WDU server do not enforce any authentication. An attacker may bypass all authentication mechanisms by directly utilizing the remote APIs available on the websocket.
References

Subscriptions

Garmin Empirbus Wireless Display Unit Empirbus Wireless Display Unit Firmware Wdu
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-14T15:32:00.879Z

Reserved: 2025-03-09T00:00:00.000Z

Link: CVE-2025-27853

cve-icon Vulnrichment

Updated: 2026-05-14T15:31:35.982Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-13T21:16:41.463

Modified: 2026-06-02T18:55:42.590

Link: CVE-2025-27853

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T20:45:28Z

Weaknesses