Skip to main content

Severity by source

Vendor (CERTVDE) PRIMARY
7.2 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (CERTVDE) · only source for this CVE.

CVSS VectorVendor: CERTVDE

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

5
Analysis Updated
Jun 03, 2026 - 13:35 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 03, 2026 - 13:34 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 03, 2026 - 13:22 vuln.today
cvss_changed
CVSS changed
Jun 03, 2026 - 13:22 NVD
8.1 (HIGH) 7.2 (HIGH)
Analysis Generated
Jun 03, 2026 - 12:51 vuln.today

DescriptionCVE.org

The ugw-restoreinfo method allows a remote attacker with user privileges to delete arbitrary local files due to insufficient validation of user-controlled input.

AnalysisAI

Arbitrary file deletion in MBS GmbH universal gateway (UGW) products allows authenticated remote users to remove files on the device through the ugw-restoreinfo method, which fails to validate user-controlled path input (CWE-73). The flaw, reported by CERT@VDE and tracked under VDE-2026-039, affects the Single-A, Double-A (Profibus/X-Link), Single-X, and Double-X (CAN/DALI/KNX/LON/M-Bus/Profinet) fieldbus gateway product lines used in industrial and building automation. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach gateway management interface over network
Delivery
Authenticate with low-privilege user credentials
Exploit
Invoke ugw-restoreinfo with traversal path
Execution
Bypass insufficient path validation
Persist
Delete targeted configuration or runtime file
Impact
Gateway loses fieldbus availability or integrity

Vulnerability AssessmentAI

Exploitation The attacker must have network reachability to the gateway's management interface and must be authenticated with at least a low-privileged user account on the device (CVSS PR:L); no administrator role, no user interaction, and no special client configuration are required. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 4.0 base score is 7.2 with vector AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N - network-reachable, low complexity, only a low-privileged authenticated user is required, no user interaction, and high impact to integrity and availability of the vulnerable component (no confidentiality impact, no scope change). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained or been issued a low-privilege user account on an MBS UGW gateway - for example a maintenance contractor account or credentials harvested from another OT host - sends a crafted request to the ugw-restoreinfo method with a path parameter pointing outside the restore directory. The handler deletes the referenced file, which could be a configuration database, certificate store, or runtime artifact, causing the gateway to fail safe-state, lose protocol bindings, or refuse to restart and disrupting the connected fieldbus segment. …
Remediation No vendor-released patch version is identified in the available data; consult the CERT@VDE advisory at https://www.certvde.com/en/advisories/VDE-2026-039/ and the MBS GmbH support channel for the fixed firmware build for each affected gateway line. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all MBS UGW deployments (Single-A, Double-A, Single-X, Double-X product lines) and document their operational role and network location. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-35075 CRITICAL
9.3 Jun 03

Credential disclosure in MBS industrial protocol gateways (Single-A, Double-A, Single-X, and Double-X product families)

CVE-2026-35082 HIGH
8.7 Jun 03

Path traversal in MBS industrial gateway products (Single-A, Double-A, Single-X, Double-X series) allows authenticated r

CVE-2026-35085 HIGH
8.7 Jun 03

Privilege escalation to root in MBS Single-A, Double-A, Single-X, and Double-X industrial gateway product lines allows a

CVE-2026-35084 HIGH
8.7 Jun 03

Privilege escalation to root via stack buffer overflow in dali-devconfig affects MBS gateway products including Single-A

CVE-2026-35083 HIGH
8.7 Jun 03

Privilege escalation to root in MBS industrial protocol gateways (Single-A, Double-A, Single-X, Double-X product lines c

CVE-2026-35079 HIGH
7.2 Jun 03

Arbitrary file deletion in MBS Universal Gateway (UGW) products allows authenticated remote attackers with low-privilege

CVE-2026-35078 HIGH
7.2 Jun 03

Arbitrary file deletion in MBS Universal Gateway (UGW) product line allows authenticated remote attackers to delete loca

CVE-2026-35077 HIGH
7.2 Jun 03

Arbitrary file deletion in MBS Universal Gateway (UGW) product family allows authenticated remote attackers to remove an

CVE-2026-35076 HIGH
7.2 Jun 03

Arbitrary file deletion in MBS GmbH industrial gateway products (single-a, double-a, single-x, double-x variants across

CVE-2026-35081 HIGH
7.2 Jun 03

Privilege escalation / denial of service in MBS Universal Gateway (UGW) product family allows an authenticated low-privi

Share

CVE-2026-35080 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy