Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getProjectTags function due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.
AnalysisAI
SQL injection in the getProjectTags function of MB connect line's remote-maintenance platforms - mbCONNECT24, myREX24V2, mymbCONNECT24 and the myREX24V2.virtual appliance, all versions up to and including 2.20.0 - lets a remote attacker manipulate a backend SQL SELECT statement and read arbitrary database contents, causing a total loss of confidentiality (CVSS 4.0 base 7.1, VC:H with no integrity or availability impact). The flaw was coordinated through CERT@VDE and catalogued in the ENISA EUVD; there is no public exploit identified at time of analysis and the EPSS probability is very low (0.03%, 11th percentile). Note a source conflict on access level: the description calls the attacker 'unauthenticated' while the CVSS vector specifies PR:L (low-privilege authenticated).
Technical ContextAI
The affected systems are industrial secure-remote-access and VPN management portals from MB connect line GmbH (the mbCONNECT24 cloud/server platform, the myREX24V2 portal, the mymbCONNECT24 white-label variant, and the self-hosted myREX24V2.virtual appliance), used to broker remote maintenance connections to machines and PLCs. The root cause is CWE-89 (Improper Neutralization of Special Elements used in an SQL Command): the getProjectTags function concatenates attacker-controllable input into a SQL SELECT query without proper escaping or parameterization, so injected SQL syntax is executed by the database. Because the injection point is a SELECT, the practical impact is data disclosure (reading rows the query was never meant to return) rather than data modification, which is consistent with the confidentiality-only CVSS impact metrics. No CPE strings were provided in the source data; affected-product identification comes from the ENISA EUVD version list rather than NVD CPE configurations.
RemediationAI
Consult CERT@VDE advisory VDE-2026-044 (https://www.certvde.com/en/advisories/VDE-2026-044/) for the vendor-supplied fixed release and upgrade beyond 2.20.0; a specific patched version number was not present in the available data and could not be independently confirmed, so the advisory is the source of record. Until the fix is applied, reduce exposure of these remote-access portals: restrict reachability of the management interface to trusted networks via firewall IP allowlisting or an upstream VPN so the getProjectTags endpoint is not internet-facing (trade-off: may break remote maintenance workflows that rely on open portal access), and deploy a WAF or reverse-proxy rule to detect and block SQL metacharacters in requests to the affected function (trade-off: signature-based filtering can be bypassed and may produce false positives on legitimate tag input). Additionally, tighten and rotate database account credentials and enable query/audit logging on the portal database to detect anomalous SELECT activity. If the access-level conflict resolves to 'authenticated', enforcing least-privilege on portal accounts further limits the attacker pool.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32140
GHSA-wj43-r94c-4xj9