Skip to main content

mbCONNECT24 CVE-2026-40813

| EUVDEUVD-2026-32113 HIGH
SQL Injection (CWE-89)
2026-05-27 info@cert.vde.com GHSA-v8qg-qq3r-wf68
8.7
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
May 27, 2026 - 20:21 vuln.today

DescriptionCVE.org

An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getLiveValues functions tagid parameter due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.

AnalysisAI

SQL injection in the mbCONNECT24 / myREX24V2 industrial remote-maintenance platforms (versions up to and including 2.20.0) lets a remote, unauthenticated attacker read arbitrary database contents by manipulating the tagid parameter of the getLiveValues function. The CVSS 4.0 base score is 8.7 with a confidentiality-only impact (VC:H, VI:N, VA:N), and no public exploit has been identified at the time of analysis. EPSS is very low (0.05%, 15th percentile), and the issue is not in CISA KEV, so widespread automated exploitation is not currently indicated despite the network-reachable, no-auth attack surface.

Technical ContextAI

The affected software is the MB connect line / Helmholz family of remote-access and remote-maintenance portals - mbCONNECT24, mymbCONNECT24, myREX24V2, and myREX24V2.virtual - which are server-side platforms commonly used to broker VPN/remote connectivity to industrial control systems and field devices. The root cause is CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), where the tagid parameter passed to the getLiveValues function is concatenated into a SQL SELECT statement without proper sanitization or parameterization. Because getLiveValues is reachable on the network-facing application and requires no authentication, attacker-controlled input flows directly into the backend database query, enabling injection against the live-value retrieval path used to display telemetry/tag data.

RemediationAI

Upgrade to a release later than 2.20.0 as published by the vendor; an exact fixed version number is not stated in the available data, so consult CERT@VDE advisory VDE-2026-044 (https://www.certvde.com/en/advisories/VDE-2026-044/) to confirm the patched build before deploying. If immediate patching is not possible, reduce exposure by restricting network access to the portal so the getLiveValues endpoint is not reachable from untrusted networks - place the management/web interface behind a firewall or VPN allowlist and limit it to known operator source IPs (trade-off: may disrupt legitimate remote-maintenance clients that connect from dynamic addresses). Where the platform is self-hosted, fronting it with a WAF rule that blocks SQL metacharacters in the tagid parameter can serve as a stopgap (trade-off: signature-based filtering can be bypassed and may break legitimate tag identifiers), and database account privileges should be minimized to read-only/least-privilege to limit the data reachable through the injection.

Share

CVE-2026-40813 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy