Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getLiveValues functions tagid parameter due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.
AnalysisAI
SQL injection in the mbCONNECT24 / myREX24V2 industrial remote-maintenance platforms (versions up to and including 2.20.0) lets a remote, unauthenticated attacker read arbitrary database contents by manipulating the tagid parameter of the getLiveValues function. The CVSS 4.0 base score is 8.7 with a confidentiality-only impact (VC:H, VI:N, VA:N), and no public exploit has been identified at the time of analysis. EPSS is very low (0.05%, 15th percentile), and the issue is not in CISA KEV, so widespread automated exploitation is not currently indicated despite the network-reachable, no-auth attack surface.
Technical ContextAI
The affected software is the MB connect line / Helmholz family of remote-access and remote-maintenance portals - mbCONNECT24, mymbCONNECT24, myREX24V2, and myREX24V2.virtual - which are server-side platforms commonly used to broker VPN/remote connectivity to industrial control systems and field devices. The root cause is CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), where the tagid parameter passed to the getLiveValues function is concatenated into a SQL SELECT statement without proper sanitization or parameterization. Because getLiveValues is reachable on the network-facing application and requires no authentication, attacker-controlled input flows directly into the backend database query, enabling injection against the live-value retrieval path used to display telemetry/tag data.
RemediationAI
Upgrade to a release later than 2.20.0 as published by the vendor; an exact fixed version number is not stated in the available data, so consult CERT@VDE advisory VDE-2026-044 (https://www.certvde.com/en/advisories/VDE-2026-044/) to confirm the patched build before deploying. If immediate patching is not possible, reduce exposure by restricting network access to the portal so the getLiveValues endpoint is not reachable from untrusted networks - place the management/web interface behind a firewall or VPN allowlist and limit it to known operator source IPs (trade-off: may disrupt legitimate remote-maintenance clients that connect from dynamic addresses). Where the platform is self-hosted, fronting it with a WAF rule that blocks SQL metacharacters in the tagid parameter can serve as a stopgap (trade-off: signature-based filtering can be bypassed and may break legitimate tag identifiers), and database account privileges should be minimized to read-only/least-privilege to limit the data reachable through the injection.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32113
GHSA-v8qg-qq3r-wf68