Skip to main content

Severity by source

Vendor (CERTVDE) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (CERTVDE) · only source for this CVE.

CVSS VectorVendor: CERTVDE

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

5
Analysis Updated
Jun 03, 2026 - 13:32 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 03, 2026 - 13:31 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 03, 2026 - 13:22 vuln.today
cvss_changed
CVSS changed
Jun 03, 2026 - 13:22 NVD
8.8 (HIGH) 8.7 (HIGH)
Analysis Generated
Jun 03, 2026 - 12:50 vuln.today

DescriptionCVE.org

A remote attacker with user privileges can exploit a stack buffer overflow to gain full system access as root.

AnalysisAI

Privilege escalation to root in MBS industrial protocol gateways (Single-A, Double-A, Single-X, Double-X product lines covering Profibus, Profinet, KNX, DALI, LON, M-Bus, CAN, and X-Link variants) is achievable by an authenticated remote user via a stack buffer overflow. The CVSS 4.0 base score of 8.7 reflects network-reachable exploitation with low complexity and only user-level privileges required, leading to full confidentiality, integrity, and availability compromise. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain valid gateway user credentials
Delivery
Reach gateway service over OT network
Exploit
Send oversized crafted payload
Install
Overflow stack buffer in parser
C2
Hijack saved return address
Execute
Execute shellcode as root
Impact
Pivot to connected fieldbus devices

Vulnerability AssessmentAI

Exploitation Exploitation requires network reachability to the vulnerable service on an MBS Single-A, Double-A, Single-X, or Double-X gateway and valid low-privilege user credentials on that device (CVSS PR:L); no user interaction is required (UI:N) and attack complexity is low (AC:L). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N with VC:H/VI:H/VA:H) describes a high-impact, low-friction post-authentication remote vulnerability, and CERT@VDE involvement signals real OT-sector relevance. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained valid user-level credentials on an MBS gateway - for example through credential reuse, a phished engineering workstation, or a malicious insider - connects across the OT network to the gateway's network service and submits a crafted oversized payload that overflows a stack buffer in the input parser. The overflow overwrites the saved return address, redirecting execution into attacker-supplied shellcode and yielding a root shell on the gateway, from which the attacker can pivot onto the fieldbus side to manipulate Profibus, Profinet, KNX, or other connected industrial endpoints. …
Remediation Consult the CERT@VDE advisory at https://www.certvde.com/en/advisories/VDE-2026-039/ for the vendor-supplied firmware update covering the affected Single-A, Double-A, Single-X, and Double-X gateways; specific fixed firmware versions were not included in the available data, so patch status here is recorded as patch available per vendor advisory pending version confirmation. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Inventory all MBS gateway deployments and flag systems managing critical industrial processes; immediately restrict network access to these gateways via firewall segmentation limiting connections to authorized subnets only. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-35075 CRITICAL
9.3 Jun 03

Credential disclosure in MBS industrial protocol gateways (Single-A, Double-A, Single-X, and Double-X product families)

CVE-2026-35082 HIGH
8.7 Jun 03

Path traversal in MBS industrial gateway products (Single-A, Double-A, Single-X, Double-X series) allows authenticated r

CVE-2026-35085 HIGH
8.7 Jun 03

Privilege escalation to root in MBS Single-A, Double-A, Single-X, and Double-X industrial gateway product lines allows a

CVE-2026-35084 HIGH
8.7 Jun 03

Privilege escalation to root via stack buffer overflow in dali-devconfig affects MBS gateway products including Single-A

CVE-2026-35080 HIGH
7.2 Jun 03

Arbitrary file deletion in MBS GmbH universal gateway (UGW) products allows authenticated remote users to remove files o

CVE-2026-35079 HIGH
7.2 Jun 03

Arbitrary file deletion in MBS Universal Gateway (UGW) products allows authenticated remote attackers with low-privilege

CVE-2026-35078 HIGH
7.2 Jun 03

Arbitrary file deletion in MBS Universal Gateway (UGW) product line allows authenticated remote attackers to delete loca

CVE-2026-35077 HIGH
7.2 Jun 03

Arbitrary file deletion in MBS Universal Gateway (UGW) product family allows authenticated remote attackers to remove an

CVE-2026-35076 HIGH
7.2 Jun 03

Arbitrary file deletion in MBS GmbH industrial gateway products (single-a, double-a, single-x, double-x variants across

CVE-2026-35081 HIGH
7.2 Jun 03

Privilege escalation / denial of service in MBS Universal Gateway (UGW) product family allows an authenticated low-privi

Share

CVE-2026-35083 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy