Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getDeviceScalings function due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.
AnalysisAI
SQL injection in the mbCONNECT24 industrial remote-access platform (and the sibling products myREX24V2, myREX24V2.virtual and mymbCONNECT24, all versions up to and including 2.20.0) lets a remote attacker abuse the getDeviceScalings function, where user input is concatenated into a SQL SELECT statement without proper neutralization (CWE-89). Successful injection yields a total loss of confidentiality, allowing extraction of arbitrary database contents, though integrity and availability are unaffected per the CVSS 4.0 vector (VC:H/VI:N/VA:N, score 7.1). There is no public exploit identified at time of analysis, and EPSS is very low at 0.03% (11th percentile).
Technical ContextAI
The affected systems are MB connect line's industrial remote-maintenance and VPN management platforms - mbCONNECT24, mymbCONNECT24, and the myREX24V2 family (including the .virtual variant) - used to provide remote access to machinery and OT/ICS equipment. The flaw is a classic SQL injection (CWE-89): the getDeviceScalings function builds a SQL SELECT command by incorporating attacker-controllable special characters without escaping or parameterization, so crafted input alters the query structure. Because the impact is confidentiality-only (no write or destructive primitive), the database read surface - device, scaling, and likely account/configuration data - is the principal asset at risk. The vulnerability was reported through CERT@VDE (info@cert.vde.com), the German industrial-CERT that coordinates disclosures for automation vendors, and is tracked in the EU vulnerability database as EUVD-2026-32137.
RemediationAI
Consult the vendor advisory at https://www.certvde.com/en/advisories/VDE-2026-044/ for the fixed release: because all branches up to and including 2.20.0 are affected, the remediation is to upgrade to the vendor's post-2.20.0 release, but no exact fixed version was included in the provided data and it should be confirmed directly from VDE-2026-044 (do not assume a version number). For myREX24V2.virtual and other cloud/hosted instances, confirm whether the vendor has already patched the managed service. Until patched, apply compensating controls: restrict network reachability of the management/web interface to trusted administrative networks or VPN only (these platforms should not be internet-exposed), tighten and audit low-privileged accounts since the CVSS vector indicates an account may be a prerequisite (trade-off: may disrupt legitimate limited-access users), and enable WAF/database-query monitoring to detect anomalous SELECT patterns against the getDeviceScalings endpoint (trade-off: detective rather than preventive). No vendor-released patch version was identified in the provided data - absence of that detail is not confirmation a fix is unavailable.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32137
GHSA-fhmg-fp6g-9rg4