CVE-2025-27851
9.3 CRITICALThe locally served web site on the Garmin WDU (v1 1.4.6 and v2 5.0) allows a cross-site origin WebSocket hijacking attack
Published: 2026-05-13 · Last updated: 2026-06-02
Severity and scoring
- CVSS
- 9.3 CRITICAL
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
- CWE
- CWE-352
Affected products
| Vendor | Product |
|---|---|
| garmin | empirbus_wireless_display_unit_firmware |
Description
The locally served web site on the Garmin WDU (v1 1.4.6 and v2 5.0) allows a cross-site origin WebSocket hijacking attack. Among other uses, the WDU utilizes WebSockets to control settings, including administrative settings. This allows a network attacker to take full control of a WDU. To initiate an exploit of this vulnerability, the victim must (1) be utilizing a web browser on a multihomed host that has local interfaces on the Garmin Marine Network as well as another network, and (2) access a malicious third party website created by the attacker.
Source: NVD
References
Related CVEs
Same vendor
- CVE-2025-27853 — The locally served web site on the Garmin WDU (v1 1.4.6 and v2 5.0) allows its authentication to be bypassed (7.3 HIGH)
- CVE-2025-27852 — The locally served web site on the Garmin WDU (v1 1.4.6 and v2 5.0) allows a reflected cross site scripting (XSS) attack (5.0 MEDIUM)
- CVE-2025-27850 — The locally served web site on the Garmin WDU (v1 1.4.6 and v2 5.0) allows a symlink attack (7.5 HIGH)
Same CWE
- CVE-2026-48612 — Improper state verification in the OAuth implementation could allow an attacker to manipulate the authentication flow and cause a victim’... (8.0 HIGH)
- CVE-2022-47150 — Cross-Site request forgery (CSRF) vulnerability in weDevs WooCommerce Conversion Tracking allows Cross Site Request Forgery (4.3 MEDIUM)
- CVE-2022-44630 — Cross-Site request forgery (CSRF) vulnerability in YITH YITH WooCommerce Product Slider Carousel allows Cross Site Request Forgery (4.6 MEDIUM)
- CVE-2024-32110 — Cross-Site request forgery (CSRF) vulnerability in Magepeople inc (4.3 MEDIUM)
- CVE-2026-53739 — Yoast Duplicate Post through 4.6 contains a cross-site request forgery vulnerability in the duplicate_post_dismiss_notice handler, which ... (4.3 MEDIUM)