Skip to main content

mbCONNECT24 EUVDEUVD-2026-32140

| CVE-2026-40841 HIGH
SQL Injection (CWE-89)
2026-05-27 info@cert.vde.com GHSA-wj43-r94c-4xj9
7.1
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
May 27, 2026 - 20:22 vuln.today

DescriptionCVE.org

An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getProjectTags function due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.

AnalysisAI

SQL injection in the getProjectTags function of MB connect line's remote-maintenance platforms - mbCONNECT24, myREX24V2, mymbCONNECT24 and the myREX24V2.virtual appliance, all versions up to and including 2.20.0 - lets a remote attacker manipulate a backend SQL SELECT statement and read arbitrary database contents, causing a total loss of confidentiality (CVSS 4.0 base 7.1, VC:H with no integrity or availability impact). The flaw was coordinated through CERT@VDE and catalogued in the ENISA EUVD; there is no public exploit identified at time of analysis and the EPSS probability is very low (0.03%, 11th percentile). Note a source conflict on access level: the description calls the attacker 'unauthenticated' while the CVSS vector specifies PR:L (low-privilege authenticated).

Technical ContextAI

The affected systems are industrial secure-remote-access and VPN management portals from MB connect line GmbH (the mbCONNECT24 cloud/server platform, the myREX24V2 portal, the mymbCONNECT24 white-label variant, and the self-hosted myREX24V2.virtual appliance), used to broker remote maintenance connections to machines and PLCs. The root cause is CWE-89 (Improper Neutralization of Special Elements used in an SQL Command): the getProjectTags function concatenates attacker-controllable input into a SQL SELECT query without proper escaping or parameterization, so injected SQL syntax is executed by the database. Because the injection point is a SELECT, the practical impact is data disclosure (reading rows the query was never meant to return) rather than data modification, which is consistent with the confidentiality-only CVSS impact metrics. No CPE strings were provided in the source data; affected-product identification comes from the ENISA EUVD version list rather than NVD CPE configurations.

RemediationAI

Consult CERT@VDE advisory VDE-2026-044 (https://www.certvde.com/en/advisories/VDE-2026-044/) for the vendor-supplied fixed release and upgrade beyond 2.20.0; a specific patched version number was not present in the available data and could not be independently confirmed, so the advisory is the source of record. Until the fix is applied, reduce exposure of these remote-access portals: restrict reachability of the management interface to trusted networks via firewall IP allowlisting or an upstream VPN so the getProjectTags endpoint is not internet-facing (trade-off: may break remote maintenance workflows that rely on open portal access), and deploy a WAF or reverse-proxy rule to detect and block SQL metacharacters in requests to the affected function (trade-off: signature-based filtering can be bypassed and may produce false positives on legitimate tag input). Additionally, tighten and rotate database account credentials and enable query/audit logging on the portal database to detect anomalous SELECT activity. If the access-level conflict resolves to 'authenticated', enforcing least-privilege on portal accounts further limits the attacker pool.

Share

EUVD-2026-32140 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy