Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the VerifyCreateLicences function due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.
AnalysisAI
SQL injection in the VerifyCreateLicences function of MB connect line's mbCONNECT24 / myREX24 remote-maintenance platforms (including the myREX24V2.virtual and mymbCONNECT24 variants, versions up to and including 2.20.0) lets a remote attacker holding a low-privilege account inject crafted input into a SQL SELECT statement and read arbitrary database contents, causing total loss of confidentiality. The CVSS 4.0 base score is 7.1 with high confidentiality impact but no integrity or availability impact. There is no public exploit identified at time of analysis, and EPSS rates exploitation probability very low at 0.03% (11th percentile).
Technical ContextAI
The root cause is CWE-89 (Improper Neutralization of Special Elements used in an SQL Command). The vulnerable code path is the VerifyCreateLicences function, which builds a SQL SELECT query without properly sanitizing or parameterizing attacker-controllable input, allowing injected SQL syntax to alter the query. The affected products are the mbCONNECT24 and myREX24 family of industrial remote-access/remote-maintenance portal and VPN gateway solutions from MB connect line (now part of Red Lion), spanning the cloud/virtual editions myREX24V2.virtual and mymbCONNECT24 as well as mbCONNECT24 and myREX24V2 themselves. Because licence verification logic is typically reachable by authenticated portal users, the injection sits in an application-layer query against the platform's backend database.
RemediationAI
No vendor-released fixed version was identified in the available data - the source lists versions only up to and including 2.20.0 as affected without naming a patched release - so consult the CERT@VDE advisory VDE-2026-044 (https://www.certvde.com/en/advisories/VDE-2026-044/) for the official fixed build and upgrade to it as the primary remediation once published. Until a patch is applied, reduce exposure by restricting network access to the mbCONNECT24 / myREX24 management portal to trusted networks or VPN only (limiting AV:N reachability, at the cost of remote-admin convenience), tightening and auditing low-privilege portal accounts since exploitation requires authenticated access per the CVSS vector (trade-off: added account management overhead), and monitoring database/application logs for anomalous SQL patterns against the licence-creation/verification endpoints. Because the description and CVSS disagree on whether authentication is required, treat the licence endpoint as reachable by any portal user and prioritize access restriction accordingly.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32139
GHSA-mvcv-v4fh-22c9