Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the devices_configuration view due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.
AnalysisAI
SQL injection in the devices_configuration view of MB connect line / Red Lion mbCONNECT24 and myREX24V2 remote-maintenance platforms (versions up to and including 2.20.0) lets a low-privileged remote user read arbitrary database contents. The CVSS 4.0 vector scores it 7.1 with high confidentiality impact and no integrity or availability impact, while EPSS rates exploitation probability at only 0.03% (11th percentile). No public exploit is identified at time of analysis and the issue is not in CISA KEV.
Technical ContextAI
The affected software is the mbCONNECT24 family of industrial remote-access and remote-maintenance platforms (mbCONNECT24, mymbCONNECT24, myREX24V2, and the myREX24V2.virtual variant), used to broker VPN-style access to PLCs, machines, and field devices. The root cause is CWE-89 (Improper Neutralization of Special Elements used in an SQL Command): user-controllable input reaching the devices_configuration view is concatenated into a SQL SELECT statement without proper neutralization, allowing an attacker to alter the query structure. Because only a SELECT path is implicated and the CVSS vector marks VI:N/VA:N, the impact is read-only data disclosure rather than data modification or service disruption.
RemediationAI
Upgrade to the fixed release identified in CERT@VDE advisory VDE-2026-044 (https://www.certvde.com/en/advisories/VDE-2026-044/); the fixed version number is not stated in the available data, but since all versions up to and including 2.20.0 are affected the fix is expected in a release later than 2.20.0 - confirm the exact build with the vendor before deploying. No vendor-released patch version is independently confirmed from the supplied data. As compensating controls until patched, restrict network reachability of the management/web interface to trusted administrators via firewall or VPN allow-listing (trade-off: may break remote admin workflows from arbitrary networks), enforce least-privilege on platform accounts and disable or remove low-privileged accounts that do not need device-configuration access (trade-off: operational overhead and possible loss of delegated administration), and increase logging/monitoring of queries hitting the devices_configuration view to detect anomalous SELECT patterns (trade-off: detection only, not prevention).
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32144
GHSA-7vvv-3cgf-gm8f