CVE-2026-35077

Vulnerability

The ugw-delete-file method in the MBS Universal Gateways (UGW-A-Series, UGW-X-Series) web GUI is affected by insufficient validation of user-controlled input. This flaw allows authorized attackers to delete arbitrary local files. The vulnerability affects version V6_0_0_5 and earlier [1].

Exploitation

An attacker with user privileges can exploit this vulnerability by sending a crafted request to the ugw-delete-file method. No specific details regarding network position, authentication requirements beyond user privileges, or user interaction are provided in the available references, but the vulnerability requires the attacker to be authenticated with user-level access [1].

Impact

Successful exploitation allows an attacker to delete arbitrary local files on the affected system. This could lead to denial of service or potentially disrupt system operations, depending on which files are targeted for deletion [1].

Mitigation

This vulnerability affects version V6_0_0_5 and earlier. A fixed version is not yet disclosed in the available references. Users are advised to consult the vendor for updated information regarding patches or workarounds [1].