Skip to main content

mbCONNECT24 CVE-2026-40811

| EUVDEUVD-2026-32111 HIGH
SQL Injection (CWE-89)
2026-05-27 info@cert.vde.com GHSA-4gxv-48x9-5f5g
8.7
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
May 27, 2026 - 20:43 vuln.today

DescriptionCVE.org

An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the ssoabstractservice due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.

AnalysisAI

Unauthenticated SQL injection in the mbCONNECT24 / myREX24V2 industrial remote-maintenance platforms (all variants at versions ≤2.20.0) lets a remote attacker inject crafted input into a SQL SELECT statement handled by the ssoabstractservice (single sign-on) component, yielding read access to backend database contents and a total loss of confidentiality. The flaw requires no authentication, no privileges, and no user interaction over the network. No public exploit has been identified at time of analysis, and the EPSS score is very low (0.05%, 15th percentile), but the issue affects internet-exposed OT remote-access portals, raising its practical exposure.

Technical ContextAI

The root cause is CWE-89 (improper neutralization of special elements used in an SQL command). User-controllable input reaching the ssoabstractservice - the single sign-on abstraction layer of these remote-access products - is concatenated into a SQL SELECT query without proper sanitization or parameterization, allowing an attacker to alter the query's logic and read data the query was never intended to return. The affected products (mbCONNECT24, mymbCONNECT24, myREX24V2, myREX24V2.virtual) are MB connect line / Helmholz cloud and on-prem portals used for remote maintenance and VPN access to industrial control systems, which is consistent with the report originating from CERT@VDE (info@cert.vde.com), an OT/industrial-focused CSIRT. No CPE strings were provided in the input; affected-product identification is based on the ENISA EUVD version list (EUVD-2026-32111).

RemediationAI

No exact fixed version is present in the provided data; the affected range (≤2.20.0) implies a remediated build above 2.20.0, so consult the CERT@VDE advisory VDE-2026-044 (https://www.certvde.com/en/advisories/VDE-2026-044/) for the vendor-released patched version and upgrade affected mbCONNECT24, mymbCONNECT24, myREX24V2, and myREX24V2.virtual instances accordingly. Until a confirmed patched version is applied, compensating controls include restricting network reachability of the ssoabstractservice/SSO login endpoint to known administrative IP ranges or placing the portal behind a VPN or reverse proxy (trade-off: legitimate remote technicians using arbitrary source IPs lose direct access), and deploying WAF/IPS rules to detect and block SQL-injection patterns against the SSO endpoint (trade-off: signature-based filtering can be bypassed with encoding and may produce false positives on legitimate SSO traffic). For cloud-hosted (mbCONNECT24/myREX24 portal) deployments, follow the vendor's hosted-service remediation guidance rather than self-patching.

Share

CVE-2026-40811 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy