Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getProjectScalings function due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.
AnalysisAI
Confidential data disclosure via SQL injection affects the mbCONNECT24 industrial remote-maintenance platform and its related variants (mymbCONNECT24, myREX24V2, myREX24V2.virtual) at versions up to and including 2.20.0. The flaw lives in the getProjectScalings function, where attacker-controlled input reaches a SQL SELECT statement, allowing extraction of arbitrary database contents and a total loss of confidentiality (CVSS 4.0 base 7.1, VC:H). The CVSS vector requires low-privilege access (PR:L), which conflicts with the description's claim of an 'unauthenticated' attack - a discrepancy defenders should resolve against the vendor advisory. There is no public exploit identified at time of analysis, and EPSS is very low (0.03%, 11th percentile), with CISA SSVC rating exploitation as 'none'.
Technical ContextAI
The affected products are remote-access/VPN gateway and industrial remote-maintenance services from the MB connect line / Red Lion family (mbCONNECT24, mymbCONNECT24, myREX24V2 and its virtual edition), commonly deployed in OT/ICS environments to broker remote connections to field equipment. The root cause is CWE-89, Improper Neutralization of Special Elements used in an SQL Command: the getProjectScalings function builds a SELECT query without properly parameterizing or escaping user-supplied input, so crafted input alters the query's logic. Because only the confidentiality metric is High (VC:H) and integrity/availability are None (VI:N/VA:N), the vector is consistent with a read-only SELECT-based injection used to read data the attacker should not see, rather than to modify records or execute OS commands. The advisory is coordinated through CERT@VDE (reported by info@cert.vde.com), the German OT/industrial CSIRT, and is tracked in the ENISA EUVD as EUVD-2026-32136.
RemediationAI
Upgrade beyond the affected ceiling of 2.20.0 to the fixed release identified in vendor advisory VDE-2026-044 (https://www.certvde.com/en/advisories/VDE-2026-044/); an exact patched version number is not present in the provided data, so confirm it directly in that advisory rather than assuming a version. Because these products are remote-access gateways often reachable from the internet, the most effective compensating control until patching is to restrict network exposure of the management interface by placing it behind a VPN or IP allow-list and blocking direct internet access to the service hosting the getProjectScalings function, accepting the trade-off that legitimate remote technicians must then connect through the allow-listed path. Tighten and audit account provisioning so only trusted, minimally-privileged users hold valid credentials (relevant because the CVSS vector indicates PR:L), and monitor application and database logs for anomalous SELECT patterns or query errors tied to that function. Confirm the precise authentication requirement with the vendor given the unauthenticated-vs-PR:L discrepancy, since that determines whether network restriction alone is sufficient.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32136
GHSA-q4rw-59qf-972m