Skip to main content

mbCONNECT24 CVE-2026-40824

| EUVDEUVD-2026-32128 HIGH
SQL Injection (CWE-89)
2026-05-27 info@cert.vde.com GHSA-29qr-v2g8-fp8m
7.0
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.0 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
May 27, 2026 - 20:02 vuln.today

DescriptionCVE.org

A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the accountstatus view userid parameter due to improper neutralization of special elements in a SQL UPDATE command allowing for reading the whole database and changing values in a non critical table. This can result in a total loss of confidentiality and some loss of integrity.

AnalysisAI

SQL injection in the mbCONNECT24 / myREX24V2 industrial remote-access platform (all editions through 2.20.0) lets a high-privileged remote attacker inject SQL through the userid parameter of the accountstatus view, which is concatenated unsafely into a SQL UPDATE statement. Successful exploitation yields read access to the entire backend database (total confidentiality loss) plus the ability to alter values in a non-critical table (partial integrity loss). There is no public exploit identified at time of analysis, it is not listed in CISA KEV, and the EPSS probability is very low at 0.03% (10th percentile).

Technical ContextAI

The affected products (mbCONNECT24, mymbCONNECT24, myREX24V2, and myREX24V2.virtual) are cloud/server portals from MB connect line (Red Lion) used to broker secure remote-maintenance VPN connections to industrial machinery and PLCs. The root cause is CWE-89 (Improper Neutralization of Special Elements used in an SQL Command): the userid value reaching the accountstatus view is placed into a dynamically built SQL UPDATE command without parameterization or escaping, so attacker-supplied SQL metacharacters are executed by the database engine. No CPE strings were supplied in the intelligence, so exact platform/build identification relies on the EUVD version list rather than NVD CPE matching.

RemediationAI

Upgrade to a fixed release above 2.20.0 as directed by CERT@VDE advisory VDE-2026-044 (https://www.certvde.com/en/advisories/VDE-2026-044/); the exact fixed version number is not present in the available intelligence and should be taken from that advisory - Patch available per vendor advisory, released patched version not independently confirmed from this data. Because exploitation requires a high-privilege account, the most effective compensating control until patching is to tightly restrict and audit who holds administrative/high-privilege roles and to remove unnecessary admin accounts, accepting the trade-off of reduced day-to-day administrative convenience. Additionally, place the management/portal interface behind network access controls so the accountstatus view is reachable only from trusted management networks (trade-off: remote administrators must connect through a VPN or jump host), and enable database query/audit logging to detect anomalous UPDATE activity on the accountstatus tables.

Share

CVE-2026-40824 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy