Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (CERTVDE) · only source for this CVE.
CVSS VectorVendor: CERTVDE
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
The ugw-restoreinfo method allows a remote attacker with user privileges to delete arbitrary local files due to insufficient validation of user-controlled input.
AnalysisAI
Arbitrary file deletion in MBS GmbH universal gateway (UGW) products allows authenticated remote users to remove files on the device through the ugw-restoreinfo method, which fails to validate user-controlled path input (CWE-73). The flaw, reported by CERT@VDE and tracked under VDE-2026-039, affects the Single-A, Double-A (Profibus/X-Link), Single-X, and Double-X (CAN/DALI/KNX/LON/M-Bus/Profinet) fieldbus gateway product lines used in industrial and building automation. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must have network reachability to the gateway's management interface and must be authenticated with at least a low-privileged user account on the device (CVSS PR:L); no administrator role, no user interaction, and no special client configuration are required. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | CVSS 4.0 base score is 7.2 with vector AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N - network-reachable, low complexity, only a low-privileged authenticated user is required, no user interaction, and high impact to integrity and availability of the vulnerable component (no confidentiality impact, no scope change). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has obtained or been issued a low-privilege user account on an MBS UGW gateway - for example a maintenance contractor account or credentials harvested from another OT host - sends a crafted request to the ugw-restoreinfo method with a path parameter pointing outside the restore directory. The handler deletes the referenced file, which could be a configuration database, certificate store, or runtime artifact, causing the gateway to fail safe-state, lose protocol bindings, or refuse to restart and disrupting the connected fieldbus segment. … |
| Remediation | No vendor-released patch version is identified in the available data; consult the CERT@VDE advisory at https://www.certvde.com/en/advisories/VDE-2026-039/ and the MBS GmbH support channel for the fixed firmware build for each affected gateway line. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all MBS UGW deployments (Single-A, Double-A, Single-X, Double-X product lines) and document their operational role and network location. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Credential disclosure in MBS industrial protocol gateways (Single-A, Double-A, Single-X, and Double-X product families)
Path traversal in MBS industrial gateway products (Single-A, Double-A, Single-X, Double-X series) allows authenticated r
Privilege escalation to root in MBS Single-A, Double-A, Single-X, and Double-X industrial gateway product lines allows a
Privilege escalation to root via stack buffer overflow in dali-devconfig affects MBS gateway products including Single-A
Privilege escalation to root in MBS industrial protocol gateways (Single-A, Double-A, Single-X, Double-X product lines c
Arbitrary file deletion in MBS Universal Gateway (UGW) products allows authenticated remote attackers with low-privilege
Arbitrary file deletion in MBS Universal Gateway (UGW) product line allows authenticated remote attackers to delete loca
Arbitrary file deletion in MBS Universal Gateway (UGW) product family allows authenticated remote attackers to remove an
Arbitrary file deletion in MBS GmbH industrial gateway products (single-a, double-a, single-x, double-x variants across
Privilege escalation / denial of service in MBS Universal Gateway (UGW) product family allows an authenticated low-privi
Same weakness CWE-73 – External Control of File Name or Path
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34076
GHSA-vhmf-2j3g-8p9g