Skip to main content

mbCONNECT24 EUVDEUVD-2026-32139

| CVE-2026-40840 HIGH
SQL Injection (CWE-89)
2026-05-27 info@cert.vde.com GHSA-mvcv-v4fh-22c9
7.1
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
May 27, 2026 - 20:57 vuln.today

DescriptionCVE.org

An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the VerifyCreateLicences function due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.

AnalysisAI

SQL injection in the VerifyCreateLicences function of MB connect line's mbCONNECT24 / myREX24 remote-maintenance platforms (including the myREX24V2.virtual and mymbCONNECT24 variants, versions up to and including 2.20.0) lets a remote attacker holding a low-privilege account inject crafted input into a SQL SELECT statement and read arbitrary database contents, causing total loss of confidentiality. The CVSS 4.0 base score is 7.1 with high confidentiality impact but no integrity or availability impact. There is no public exploit identified at time of analysis, and EPSS rates exploitation probability very low at 0.03% (11th percentile).

Technical ContextAI

The root cause is CWE-89 (Improper Neutralization of Special Elements used in an SQL Command). The vulnerable code path is the VerifyCreateLicences function, which builds a SQL SELECT query without properly sanitizing or parameterizing attacker-controllable input, allowing injected SQL syntax to alter the query. The affected products are the mbCONNECT24 and myREX24 family of industrial remote-access/remote-maintenance portal and VPN gateway solutions from MB connect line (now part of Red Lion), spanning the cloud/virtual editions myREX24V2.virtual and mymbCONNECT24 as well as mbCONNECT24 and myREX24V2 themselves. Because licence verification logic is typically reachable by authenticated portal users, the injection sits in an application-layer query against the platform's backend database.

RemediationAI

No vendor-released fixed version was identified in the available data - the source lists versions only up to and including 2.20.0 as affected without naming a patched release - so consult the CERT@VDE advisory VDE-2026-044 (https://www.certvde.com/en/advisories/VDE-2026-044/) for the official fixed build and upgrade to it as the primary remediation once published. Until a patch is applied, reduce exposure by restricting network access to the mbCONNECT24 / myREX24 management portal to trusted networks or VPN only (limiting AV:N reachability, at the cost of remote-admin convenience), tightening and auditing low-privilege portal accounts since exploitation requires authenticated access per the CVSS vector (trade-off: added account management overhead), and monitoring database/application logs for anomalous SQL patterns against the licence-creation/verification endpoints. Because the description and CVSS disagree on whether authentication is required, treat the licence endpoint as reachable by any portal user and prioritize access restriction accordingly.

Share

EUVD-2026-32139 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy