Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the _mb24api_getUserAccount function due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.
AnalysisAI
Unauthenticated SQL injection in the mbCONNECT24/myREX24 industrial remote-maintenance platform (all variants up to and including 2.20.0) lets remote attackers extract database contents through the _mb24api_getUserAccount API function via a crafted SQL SELECT command (CWE-89). The CVSS 4.0 score of 8.7 reflects a confidentiality-only impact (VC:H, VI:N, VA:N) reachable over the network with no authentication and no user interaction. No public exploit has been identified at time of analysis and EPSS rates exploitation probability very low (0.05%, 15th percentile), but the no-auth, network-reachable design makes credential and account-data theft a credible concern.
Technical ContextAI
The affected software is MB connect line / Red Lion's mbCONNECT24 remote-access and remote-maintenance server and its branded variants (myREX24V2, myREX24V2.virtual, mymbCONNECT24) - VPN/portal platforms widely used to reach industrial control and OT equipment. The root cause is CWE-89 (Improper Neutralization of Special Elements used in an SQL Command): the _mb24api_getUserAccount API function concatenates attacker-controlled input into a SQL SELECT statement without proper parameterization or escaping, so injected SQL clauses are executed by the backend database. Because this is a SELECT-based injection, the practical impact is read access to data (user account records and potentially the wider database schema), consistent with the CVSS confidentiality-high / integrity-none / availability-none vector. No CPE strings were supplied in the source data, so exact product identification relies on the ENISA EUVD version list rather than NVD CPE.
RemediationAI
Primary action is to upgrade to a fixed release above 2.20.0 as identified in the CERT@VDE advisory VDE-2026-044 (https://www.certvde.com/en/advisories/VDE-2026-044/); the provided data does not contain an exact fixed version number, so the specific target build must be confirmed from that advisory before deployment. For vendor-hosted (myREX24V2.virtual / myREX24) instances, confirm with the operator whether the platform has already been patched server-side. If immediate patching of a self-hosted mbCONNECT24/mymbCONNECT24 box is not possible, reduce exposure by restricting network reachability of the management/API interface - for example placing it behind a VPN or firewall allowlist so the _mb24api_getUserAccount endpoint is not internet-facing (trade-off: may break remote access workflows that depend on direct reachability) - and increase monitoring/WAF inspection for anomalous SQL-like input on API requests as a detection-only stopgap (trade-off: signature-based filtering can be bypassed and should not be treated as a fix). After patching, rotate any credentials and account secrets that could have been exposed through the SELECT-based disclosure.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32120
GHSA-7fqx-864m-gjq2