Skip to main content

mbCONNECT24 CVE-2026-40828

| EUVDEUVD-2026-32157 HIGH
SQL Injection (CWE-89)
2026-05-27 info@cert.vde.com GHSA-vf4m-5fcg-vwvq
7.0
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.0 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
May 27, 2026 - 20:46 vuln.today

DescriptionCVE.org

A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the DeleteSysLogEntry function due to improper neutralization of special elements in a SQL DELETE command allowing for reading the whole database and deleting entries in a non critical table. This can result in a total loss of confidentiality and some loss of integrity.

AnalysisAI

SQL injection in the DeleteSysLogEntry function of MB connect line / Helmholz remote-maintenance platforms - mbCONNECT24, myREX24V2, mymbCONNECT24 and the myREX24V2.virtual variant through version 2.20.0 - lets a network attacker with high privileges inject SQL into a DELETE statement, reading the entire backend database and deleting rows in a non-critical syslog table. The flaw yields full confidentiality loss and limited integrity impact (CVSS 4.0 base 7.0). There is no public exploit identified at time of analysis, EPSS is very low (0.03%, 10th percentile), and CISA SSVC rates exploitation as none, indicating no observed in-the-wild activity. Note the vendor description's 'unauthenticated' wording conflicts with the CVSS PR:H (high privileges required) metric.

Technical ContextAI

The root cause is CWE-89 (Improper Neutralization of Special Elements used in an SQL Command). User-controlled input flows into a SQL DELETE statement inside the DeleteSysLogEntry routine without proper sanitization, so an attacker can break out of the intended DELETE and append or subvert clauses - classic in-band/UNION-style extraction that exposes arbitrary tables despite the function nominally only deleting syslog entries. The affected software is MB connect line's mbCONNECT24 family (and the OEM/Helmholz myREX24V2 / mymbCONNECT24 portals plus the myREX24V2.virtual on-premises variant), which are industrial remote-access and remote-maintenance VPN management platforms used to broker connections into OT/ICS networks; the injection sits in the web management backend that stores device, user, and session data. No CPE 2.3 strings were supplied in the input - affected products are identified only via the ENISA EUVD version list (EUVD-2026-32157), not NVD CPE configurations.

RemediationAI

Consult vendor advisory VDE-2026-044 (https://www.certvde.com/en/advisories/VDE-2026-044/) and upgrade to a release later than 2.20.0; the exact fixed version is not stated in the available data and should be confirmed directly from that advisory before planning the upgrade. Because exploitation requires a high-privilege account (CVSS PR:H), the most effective compensating control until patching is to tightly restrict and audit high-privilege/administrator accounts on the portal - enforce strong authentication and MFA for admin logins and remove unused privileged accounts, accepting the operational overhead of stricter access review. Additionally, place the management web interface behind network segmentation or an allowlist so it is reachable only from trusted administrative networks rather than the open internet (trade-off: may complicate legitimate remote administration), and enable web/database logging to detect anomalous queries against the DeleteSysLogEntry endpoint. For the on-premises myREX24V2.virtual deployment, prioritize the same network restrictions since it is operator-managed.

Share

CVE-2026-40828 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy