Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the ssoabstractservice due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.
AnalysisAI
Unauthenticated SQL injection in the mbCONNECT24 / myREX24V2 industrial remote-maintenance platforms (all variants at versions ≤2.20.0) lets a remote attacker inject crafted input into a SQL SELECT statement handled by the ssoabstractservice (single sign-on) component, yielding read access to backend database contents and a total loss of confidentiality. The flaw requires no authentication, no privileges, and no user interaction over the network. No public exploit has been identified at time of analysis, and the EPSS score is very low (0.05%, 15th percentile), but the issue affects internet-exposed OT remote-access portals, raising its practical exposure.
Technical ContextAI
The root cause is CWE-89 (improper neutralization of special elements used in an SQL command). User-controllable input reaching the ssoabstractservice - the single sign-on abstraction layer of these remote-access products - is concatenated into a SQL SELECT query without proper sanitization or parameterization, allowing an attacker to alter the query's logic and read data the query was never intended to return. The affected products (mbCONNECT24, mymbCONNECT24, myREX24V2, myREX24V2.virtual) are MB connect line / Helmholz cloud and on-prem portals used for remote maintenance and VPN access to industrial control systems, which is consistent with the report originating from CERT@VDE (info@cert.vde.com), an OT/industrial-focused CSIRT. No CPE strings were provided in the input; affected-product identification is based on the ENISA EUVD version list (EUVD-2026-32111).
RemediationAI
No exact fixed version is present in the provided data; the affected range (≤2.20.0) implies a remediated build above 2.20.0, so consult the CERT@VDE advisory VDE-2026-044 (https://www.certvde.com/en/advisories/VDE-2026-044/) for the vendor-released patched version and upgrade affected mbCONNECT24, mymbCONNECT24, myREX24V2, and myREX24V2.virtual instances accordingly. Until a confirmed patched version is applied, compensating controls include restricting network reachability of the ssoabstractservice/SSO login endpoint to known administrative IP ranges or placing the portal behind a VPN or reverse proxy (trade-off: legitimate remote technicians using arbitrary source IPs lose direct access), and deploying WAF/IPS rules to detect and block SQL-injection patterns against the SSO endpoint (trade-off: signature-based filtering can be bypassed with encoding and may produce false positives on legitimate SSO traffic). For cloud-hosted (mbCONNECT24/myREX24 portal) deployments, follow the vendor's hosted-service remediation guidance rather than self-patching.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32111
GHSA-4gxv-48x9-5f5g