Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the tag view due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.
AnalysisAI
SQL injection in the tag view of MB connect line's mbCONNECT24 and myREX24 remote-maintenance platforms (all variants through 2.20.0) lets a remote attacker manipulate a SQL SELECT statement to read arbitrary database contents, yielding a total loss of confidentiality (VC:H, with no integrity or availability impact). The CVSS 4.0 vector requires low privileges (PR:L), yet the description labels the flaw 'unauthenticated' - a discrepancy defenders should resolve against the vendor advisory before scoping risk. No public exploit is identified at time of analysis, EPSS is very low (0.03%, 11th percentile), and CISA's SSVC framework marks current exploitation as none.
Technical ContextAI
The affected products - mbCONNECT24, mymbCONNECT24, myREX24V2, and myREX24V2.virtual - are industrial remote-access and remote-maintenance portals from MB connect line (now part of Red Lion), used to broker secure VPN connectivity to PLCs, HMIs, and other OT assets. The defect is CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), meaning user-controllable input reaching the 'tag view' feature is concatenated into a SQL SELECT query without proper parameterization or escaping. 'Tags' in this context typically represent named data points/variables of monitored industrial devices, so the vulnerable view queries telemetry or configuration records. No CPE strings were provided in the source data, so exact platform/edition identifiers must be taken from the EUVD version list and the VDE advisory rather than NVD CPE matching.
RemediationAI
Upgrade to the fixed release identified in MB connect line / CERT@VDE advisory VDE-2026-044 (https://www.certvde.com/en/advisories/VDE-2026-044/); because every listed variant is affected through 2.20.0, the remedy is a release later than 2.20.0, but no exact fixed version number is present in the provided data - confirm it directly from the advisory before scheduling the upgrade. No vendor-released patch version is independently confirmed from the input here. Until patched, restrict network reachability of the management/web interface to trusted administrative networks or VPN only (these are remote-access products, so exposing the portal directly to the internet broadly widens attacker reach), and tightly limit and audit low-privilege portal accounts since the CVSS vector requires PR:L - the trade-off is reduced convenience for distributed maintenance staff. If a web application firewall fronts the portal, add SQLi detection rules covering the tag view endpoint, accepting that WAF signatures are a detective/compensating control and not a substitute for the fix.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32147
GHSA-gc3c-24c5-6vv4