Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the accountstatus view userid parameter due to improper neutralization of special elements in a SQL UPDATE command allowing for reading the whole database and changing values in a non critical table. This can result in a total loss of confidentiality and some loss of integrity.
AnalysisAI
SQL injection in the mbCONNECT24 / myREX24V2 industrial remote-access platform (all editions through 2.20.0) lets a high-privileged remote attacker inject SQL through the userid parameter of the accountstatus view, which is concatenated unsafely into a SQL UPDATE statement. Successful exploitation yields read access to the entire backend database (total confidentiality loss) plus the ability to alter values in a non-critical table (partial integrity loss). There is no public exploit identified at time of analysis, it is not listed in CISA KEV, and the EPSS probability is very low at 0.03% (10th percentile).
Technical ContextAI
The affected products (mbCONNECT24, mymbCONNECT24, myREX24V2, and myREX24V2.virtual) are cloud/server portals from MB connect line (Red Lion) used to broker secure remote-maintenance VPN connections to industrial machinery and PLCs. The root cause is CWE-89 (Improper Neutralization of Special Elements used in an SQL Command): the userid value reaching the accountstatus view is placed into a dynamically built SQL UPDATE command without parameterization or escaping, so attacker-supplied SQL metacharacters are executed by the database engine. No CPE strings were supplied in the intelligence, so exact platform/build identification relies on the EUVD version list rather than NVD CPE matching.
RemediationAI
Upgrade to a fixed release above 2.20.0 as directed by CERT@VDE advisory VDE-2026-044 (https://www.certvde.com/en/advisories/VDE-2026-044/); the exact fixed version number is not present in the available intelligence and should be taken from that advisory - Patch available per vendor advisory, released patched version not independently confirmed from this data. Because exploitation requires a high-privilege account, the most effective compensating control until patching is to tightly restrict and audit who holds administrative/high-privilege roles and to remove unnecessary admin accounts, accepting the trade-off of reduced day-to-day administrative convenience. Additionally, place the management/portal interface behind network access controls so the accountstatus view is reachable only from trusted management networks (trade-off: remote administrators must connect through a VPN or jump host), and enable database query/audit logging to detect anomalous UPDATE activity on the accountstatus tables.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32128
GHSA-29qr-v2g8-fp8m