Skip to main content

mbCONNECT24 EUVDEUVD-2026-32135

| CVE-2026-40836 HIGH
SQL Injection (CWE-89)
2026-05-27 info@cert.vde.com GHSA-9jg5-m477-mh8r
7.1
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
May 27, 2026 - 20:05 vuln.today

DescriptionCVE.org

An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the inmessage model due to improper neutralization of special elements in a SQL DELETE command allowing for reading the whole database and deleting entries in a non critical table. This can result in a total loss of confidentiality and some loss of integrity.

AnalysisAI

SQL injection in MB connect line's remote-maintenance platforms - mbCONNECT24, myREX24V2, myREX24V2.virtual and mymbCONNECT24 at versions up to and including 2.20.0 - lets a low-privileged remote attacker manipulate the SQL DELETE command in the 'inmessage' model to read the entire backend database and delete rows from a non-critical table. The flaw yields full confidentiality loss and partial integrity loss but no availability impact, and is rated CVSS 4.0 7.1. EPSS is very low (0.03%, 11th percentile), there is no public exploit identified at time of analysis, and it is not on CISA KEV.

Technical ContextAI

The root cause is CWE-89 (Improper Neutralization of Special Elements used in an SQL Command) in the 'inmessage' model, where attacker-controlled input is concatenated into a SQL DELETE statement without proper sanitization or parameterization. Because the injection occurs in a DELETE query, the attacker can both subvert the WHERE clause to remove rows and, via injection techniques such as UNION/subquery or boolean/blind extraction, read arbitrary data from the database. The affected software is the MB connect line (now part of Red Lion) family of industrial remote-access and VPN portal products: mbCONNECT24 (server/on-premise portal), myREX24V2 and myREX24V2.virtual (hosted/virtual remote-service portals), and mymbCONNECT24. No CPE strings were supplied in the source data, so exact CPE matching cannot be performed; product identification is drawn from the EUVD affected-version list.

RemediationAI

Consult the vendor advisory CERT@VDE VDE-2026-044 (https://www.certvde.com/en/advisories/VDE-2026-044/) and upgrade to the fixed release for your product; an exact patched version number was not present in the provided data, so the fixed build must be confirmed from that advisory (all branches at or below 2.20.0 are affected, so the fix is expected in a release above 2.20.0). Until patched, reduce exposure with specific compensating controls: restrict network reachability of the portal/management interface to trusted VPN or management networks rather than the open internet (trade-off: legitimate remote-service users may need VPN onboarding); enforce least privilege and prune low-privilege accounts since exploitation requires authenticated low-privilege access (trade-off: tighter account hygiene and possible support overhead); and enable database query/DELETE auditing and WAF/input-validation monitoring on the 'inmessage' endpoint to detect injection attempts (trade-off: tuning needed to avoid false positives). Do not rely on workarounds long-term - apply the vendor patch when available.

Share

EUVD-2026-32135 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy