Skip to main content

mbCONNECT24 CVE-2026-40827

| EUVDEUVD-2026-32156 HIGH
SQL Injection (CWE-89)
2026-05-27 info@cert.vde.com GHSA-c9g6-jwcc-x59m
7.0
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.0 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
May 27, 2026 - 21:03 vuln.today

DescriptionCVE.org

A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the _RemoveRequest function due to improper neutralization of special elements in a SQL DELETE command allowing for reading the whole database and deleting entries in a non critical table. This can result in a total loss of confidentiality and some loss of integrity.

AnalysisAI

SQL injection in the MB connect line remote-maintenance portals mbCONNECT24, myREX24V2, myREX24V2.virtual and mymbCONNECT24 (all versions up to and including 2.20.0) lets a high-privileged remote user manipulate a SQL DELETE statement in the _RemoveRequest function to read the entire backend database and delete rows in a non-critical table. The CVSS 4.0 vector (PR:H) indicates an authenticated, high-privilege account is required despite the description's wording, yielding total confidentiality loss and partial integrity loss. There is no public exploit identified at time of analysis, EPSS is very low (0.03%), and the issue is not listed in CISA KEV.

Technical ContextAI

The flaw is a classic CWE-89 SQL Injection: user-controlled input reaches a SQL DELETE command in the server-side _RemoveRequest function without proper neutralization of special elements (quotes, comment sequences, UNION/sub-select payloads), so the attacker can break out of the intended DELETE and append read operations against arbitrary tables. The affected software is the MB connect line (Red Lion) family of industrial remote-access and remote-maintenance cloud/VPN portals - mbCONNECT24 and the myREX24V2 variants - used to broker secure remote connections to OT/ICS equipment, which is why confidentiality of the central account/connection database is the high-value asset here. No CPE strings were supplied in the input; affected components are identified only by the EUVD product/version list.

RemediationAI

Upgrade to the fixed release identified in CERT@VDE advisory VDE-2026-044 (https://www.certvde.com/en/advisories/VDE-2026-044/); an exact patched version number was not included in the provided data and must be read from that advisory before deployment. Because exploitation requires a high-privilege account, the most effective compensating control until patching is to tightly restrict and audit administrative/high-privilege accounts on the portal and rotate credentials - accepting the operational overhead of stricter admin onboarding. Additionally, place the portal behind network segmentation and limit management access to known administrator source IPs (trade-off: legitimate remote admins must connect from approved networks/VPN), and enable database and request logging on the _RemoveRequest path to detect anomalous DELETE/UNION activity. Avoid exposing the management interface directly to the public internet where feasible.

Share

CVE-2026-40827 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy