EUVD-2026-32129
GHSA-49xj-qj9r-gx79
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionNVD
A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the accountstatus view devices parameter due to improper neutralization of special elements in a SQL UPDATE command allowing for reading the whole database and changing values in a non critical table. This can result in a total loss of confidentiality and some loss of integrity.
AnalysisAI
SQL injection in MB connect line's mbCONNECT24 / myREX24V2 remote-maintenance portals (all releases up to and including 2.20.0) lets an attacker break out of the SQL UPDATE statement bound to the 'devices' parameter in the accountstatus view, yielding full read access to the backend database and limited writes to a non-critical table. The CVSS 4.0 vector requires high privileges (PR:H), so a privileged authenticated user is the realistic threat actor — this directly contradicts the advisory text that labels the flaw 'unauthenticated,' a discrepancy defenders should resolve with the vendor. …
Sign in for full analysis, threat intelligence, and remediation guidance.
RemediationAI
24 hours: Identify all deployments of mbCONNECT24/myREX24V2 ≤2.20.0; restrict network access to these portals to authorized management networks only; contact MB connect line to clarify the conflicting authentication requirement (CVSS vector indicates PR:H despite advisory language). 7 days: Implement network segmentation isolating portals from untrusted networks; audit and minimize high-privilege administrator accounts with portal access; enable database activity monitoring focused on suspicious access patterns. …
Sign in for detailed remediation steps.
Share
External POC / Exploit Code
Leaving vuln.today