Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the inmessage model due to improper neutralization of special elements in a SQL DELETE command allowing for reading the whole database and deleting entries in a non critical table. This can result in a total loss of confidentiality and some loss of integrity.
AnalysisAI
SQL injection in MB connect line's remote-maintenance platforms - mbCONNECT24, myREX24V2, myREX24V2.virtual and mymbCONNECT24 at versions up to and including 2.20.0 - lets a low-privileged remote attacker manipulate the SQL DELETE command in the 'inmessage' model to read the entire backend database and delete rows from a non-critical table. The flaw yields full confidentiality loss and partial integrity loss but no availability impact, and is rated CVSS 4.0 7.1. EPSS is very low (0.03%, 11th percentile), there is no public exploit identified at time of analysis, and it is not on CISA KEV.
Technical ContextAI
The root cause is CWE-89 (Improper Neutralization of Special Elements used in an SQL Command) in the 'inmessage' model, where attacker-controlled input is concatenated into a SQL DELETE statement without proper sanitization or parameterization. Because the injection occurs in a DELETE query, the attacker can both subvert the WHERE clause to remove rows and, via injection techniques such as UNION/subquery or boolean/blind extraction, read arbitrary data from the database. The affected software is the MB connect line (now part of Red Lion) family of industrial remote-access and VPN portal products: mbCONNECT24 (server/on-premise portal), myREX24V2 and myREX24V2.virtual (hosted/virtual remote-service portals), and mymbCONNECT24. No CPE strings were supplied in the source data, so exact CPE matching cannot be performed; product identification is drawn from the EUVD affected-version list.
RemediationAI
Consult the vendor advisory CERT@VDE VDE-2026-044 (https://www.certvde.com/en/advisories/VDE-2026-044/) and upgrade to the fixed release for your product; an exact patched version number was not present in the provided data, so the fixed build must be confirmed from that advisory (all branches at or below 2.20.0 are affected, so the fix is expected in a release above 2.20.0). Until patched, reduce exposure with specific compensating controls: restrict network reachability of the portal/management interface to trusted VPN or management networks rather than the open internet (trade-off: legitimate remote-service users may need VPN onboarding); enforce least privilege and prune low-privilege accounts since exploitation requires authenticated low-privilege access (trade-off: tighter account hygiene and possible support overhead); and enable database query/DELETE auditing and WAF/input-validation monitoring on the 'inmessage' endpoint to detect injection attempts (trade-off: tuning needed to avoid false positives). Do not rely on workarounds long-term - apply the vendor patch when available.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32135
GHSA-9jg5-m477-mh8r