Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
A highly authenticated attacker can alter the config generator injecting a payload into future created configurations. The device is not correctly checking this configuration value before passing it to an system execute leading to code execution. This can result in a total loss of confidentiality, integrity and availability.
AnalysisAI
OS command injection in MB connect line / Helmholz mbNET and REX industrial remote-maintenance routers (mbNET.mini up to 3.0.2, REX200/250 and mbNET/mbNET.rokey up to 8.4.4, REX100 up to 3.0.2) lets a high-privilege authenticated user poison the device's configuration generator so that a tainted value is later passed unsanitized to a system execute call, producing arbitrary command execution with total loss of confidentiality, integrity and availability. The flaw was reported through CERT@VDE (advisory VDE-2026-054) and tracked as EUVD-2026-32151. There is no public exploit identified at time of analysis, EPSS is low (0.07%, 22nd percentile), and CISA's SSVC framework rates current exploitation as none.
Technical ContextAI
The weakness is classic CWE-78 (Improper Neutralization of Special Elements used in an OS Command). The affected devices are industrial VPN/remote-maintenance gateways from MB connect line (now part of Helmholz) - the mbNET, mbNET.mini, mbNET.rokey and REX100/REX200/REX250 router families widely deployed for secure remote access to machinery and PLCs in OT/ICS environments. The vulnerable component is the configuration generator: an attacker-influenced configuration value is written into configurations the device later builds, and the device then hands that value to a shell/system execute primitive without proper validation or neutralization, allowing injected commands to run in the device's underlying OS context. No CPE strings were supplied in the input; affected products are taken from the EUVD version list rather than NVD CPE data.
RemediationAI
Patch available per vendor advisory - consult CERT@VDE VDE-2026-054 (https://www.certvde.com/en/advisories/VDE-2026-054/) for the exact fixed firmware versions for your specific model (mbNET.mini, REX100, REX200/250, mbNET/mbNET.rokey), as a released patched version is not independently confirmed from the supplied data and no exact fix version is stated in the input. Because exploitation requires high administrative privileges, the most effective compensating controls focus on locking down who can reach and administer the device: restrict access to the management/web configuration interface to a dedicated admin VLAN or jump host (trade-off: remote admins must connect through that path), enforce strong unique credentials and disable default or shared admin accounts to reduce the chance an attacker obtains the PR:H access the flaw needs, and tightly limit and audit who can modify the configuration generator. Do not expose the device management interface directly to the internet; place these OT gateways behind firewall rules that permit management only from trusted sources (trade-off: convenience of direct remote management is reduced). Monitor configuration changes and shell/command activity on the devices for anomalous values introduced into generated configurations.
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32151
GHSA-4334-w3q6-m8g5