Skip to main content

mbNET Router CVE-2026-40851

| EUVDEUVD-2026-32150 HIGH
Improper Validation of Specified Type of Input (CWE-1287)
2026-05-27 info@cert.vde.com GHSA-hcr2-wfhw-2h9m
8.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.4 HIGH
AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
May 27, 2026 - 20:57 vuln.today

DescriptionCVE.org

A local attacker can perform a confusion attack on the cfgparser via a specially crafted file on an USB stick leading to code execution. This can result in a total loss of confidentiality, integrity and availability.

AnalysisAI

Code execution is possible on MB connect line industrial remote-maintenance routers - mbNET/mbNET.rokey, mbNET.mini, and the REX100/REX200/250 families - when a local attacker supplies a specially crafted configuration file on a USB stick that triggers a type-confusion flaw in the device's cfgparser, yielding total loss of confidentiality, integrity, and availability (CVSS 8.4). The flaw requires local/physical access to the device rather than network reach. There is no public exploit identified at time of analysis, and the EPSS score is very low (0.02%, 7th percentile), consistent with the SSVC assessment of no observed exploitation.

Technical ContextAI

The defect lies in cfgparser, the component these devices use to parse imported configuration files. It is classified as CWE-1287 (Improper Validation of Specified Type of Input) - a 'confusion' attack in which the parser is induced to interpret supplied data as a different type than intended, corrupting parser state and ultimately steering execution. The affected devices are industrial OT/ICS remote-access gateways and routers (mbNET, mbNET.mini, and REX series) commonly used for remote maintenance of machinery; many support importing configuration from removable USB media, which is the delivery surface here. No CPE strings were provided in the source data, so exact platform identifiers must be taken from the affected-version list and the CERT@VDE advisory.

RemediationAI

Consult CERT@VDE advisory VDE-2026-054 (https://www.certvde.com/en/advisories/VDE-2026-054/) for the fixed firmware release and upgrade beyond the affected ceilings (above 8.4.4 for mbNET/mbNET.rokey and REX200/250, above 3.0.2 for mbNET.mini and REX100) - an exact patched version number was not included in the provided data, so verify it directly in the advisory before deployment. Because exploitation depends on physical USB delivery, the most effective compensating controls are physical and operational: restrict and monitor physical access to the devices, disable or physically block unused USB ports, and disable any automatic configuration-import-from-USB feature so files are not parsed without an authorized administrator action; the trade-off is loss of the convenience of USB-based provisioning and the need for an alternative configuration workflow. These controls reduce exposure but are not a substitute for the firmware fix.

Share

CVE-2026-40851 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy