Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
3DescriptionCVE.org
An unauthenticated remote attacker can exploit a Pre-Auth blind SQL Injection vulnerability in the userinfo endpoint’s authentication method due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.
AnalysisAI
A pre-authentication blind SQL injection vulnerability exists in the userinfo endpoint's authentication method, allowing unauthenticated remote attackers to extract sensitive data from backend databases without any credentials. Affected products include MB Connect Line's mbCONNECT24 and mymbCONNECT24 industrial remote access solutions, as well as Helmholz's myREX24v2 and myREX24v2.virtual platforms used in industrial automation environments. With a CVSS score of 7.5 and complete loss of confidentiality, this represents a significant risk to industrial control systems, though no active exploitation (KEV) or public POC has been reported yet.
Technical ContextAI
This vulnerability affects industrial remote access and maintenance platforms used in operational technology environments. The affected products include MB Connect Line mbCONNECT24 (cpe:2.3:a:mb_connect_line:mb_connect_line_mbconnect24), mymbCONNECT24 (cpe:2.3:a:mb_connect_line:mymbconnect24), and Helmholz myREX24v2 variants (cpe:2.3:a:helmholz:myrex24v2 and cpe:2.3:a:helmholz:myrex24v2.virtual). The root cause is CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), where user-supplied input in the userinfo endpoint is concatenated directly into SQL SELECT statements without proper sanitization or parameterized queries. The pre-authentication nature means the vulnerability exists before any authentication checks, making it accessible to completely unauthenticated attackers. These platforms typically manage remote connections to industrial equipment, making database contents potentially include credentials, configuration data, and sensitive industrial process information.
RemediationAI
Organizations should immediately consult CERT@VDE advisories VDE-2026-024 and VDE-2026-025 (available at https://certvde.com/de/advisories/VDE-2026-024 and https://certvde.com/de/advisories/VDE-2026-025) for specific patch versions and apply vendor-provided security updates from MB Connect Line and Helmholz as soon as they become available. Until patching is complete, implement network segmentation to restrict access to the affected userinfo endpoint to only trusted IP ranges using firewall rules or web application firewalls with SQL injection signature detection enabled. Deploy intrusion detection systems monitoring for SQL injection patterns targeting the authentication method, particularly looking for time delays, boolean-based payloads, or excessive authentication attempts. Consider temporarily disabling remote access through these platforms if business continuity allows, or enforce additional authentication layers such as VPN access before reaching the vulnerable endpoints.
More in Mb Connect Line Mbconnect24
View allSame weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-14407
GHSA-j3h2-gjm7-hpx9