Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getAlarmProfiles function due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.
AnalysisAI
SQL injection in the mbCONNECT24 / myREX24V2 family of industrial remote-maintenance platforms (all editions at version 2.20.0 and earlier) lets unauthenticated remote attackers manipulate a SQL SELECT statement in the getAlarmProfiles function and read arbitrary database contents. The flaw (CWE-89) carries a CVSS 4.0 base score of 8.7 with a confidentiality-only impact and requires no authentication or user interaction. There is no public exploit identified at time of analysis, and the EPSS probability is very low (0.05%, 15th percentile), indicating no observed mass-exploitation pressure despite the high base score.
Technical ContextAI
The affected products - myREX24V2, myREX24V2.virtual, mbCONNECT24, and mymbCONNECT24 - are remote-access and remote-maintenance portals from MB connect line (a Red Lion brand) used to broker secure connections to OT/ICS equipment in the field. The vulnerability is a classic CWE-89 SQL injection: the getAlarmProfiles function (part of the alarm/notification configuration feature of these platforms) incorporates attacker-controlled input into a SQL SELECT command without proper neutralization of special elements such as quotes or comment sequences. Because the query is a SELECT, the impact is read-oriented - an attacker can subvert query logic to return rows beyond their intended scope, enabling extraction of data from the backend database. No CPE 2.3 strings were provided in the source data; affected products are identified from the ENISA EUVD version list rather than NVD CPE entries.
RemediationAI
Consult the CERT@VDE advisory VDE-2026-044 (https://www.certvde.com/en/advisories/VDE-2026-044/) for the vendor-supplied fixed release and upgrade above the affected 2.20.0 baseline; an exact fixed version number was not present in the available data, so confirm it directly from that advisory before scheduling the update. Until patched, restrict network reachability to the management/portal interface - these are remote-access gateways and should not expose the affected endpoint to the open internet, so place instances behind a firewall or VPN and allowlist only trusted administrative source IPs (trade-off: may break remote field connectivity for legitimate roaming users and must be coordinated with operations). As a detective control, monitor web/application logs for anomalous requests to the getAlarmProfiles function and for SQL error or injection signatures, and consider a WAF rule targeting that endpoint (trade-off: signature-based WAF rules can be bypassed and may generate false positives). Do not rely on these measures as a permanent substitute for the vendor update.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32122
GHSA-755f-cpf7-v78f