Skip to main content

mbCONNECT24 EUVDEUVD-2026-32145

| CVE-2026-40846 HIGH
SQL Injection (CWE-89)
2026-05-27 info@cert.vde.com GHSA-3vv6-6r3h-c8rr
7.1
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
May 27, 2026 - 20:25 vuln.today

DescriptionCVE.org

An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the system view due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.

AnalysisAI

SQL injection in MB connect line's mbCONNECT24/myREX24V2 industrial remote-maintenance portals (all versions up to and including 2.20.0) lets a low-privileged authenticated user read arbitrary database contents through the 'system view', where special characters are not neutralized inside a SQL SELECT command, yielding a total loss of confidentiality (CVSS 4.0 base 7.1). No public exploit is identified at time of analysis and the issue is not listed in CISA KEV; EPSS is very low at 0.03% (11th percentile), indicating limited near-term mass-exploitation likelihood. The flaw was reported by CERT@VDE and is tracked under advisory VDE-2026-044 and ENISA EUVD-2026-32145. Note the description calls it 'unauthenticated' while the CVSS vector specifies PR:L (low-privileged), a discrepancy that should be resolved with the vendor.

Technical ContextAI

The affected products (mbCONNECT24, mymbCONNECT24, myREX24V2 and myREX24V2.virtual) are MB connect line / Red Lion cloud and on-premises remote-access and VPN management portals used to reach industrial machinery and OT/ICS networks, which is consistent with the report originating from CERT@VDE, the German CERT focused on industrial automation. The root cause is CWE-89 (Improper Neutralization of Special Elements used in an SQL Command): user-influenced input reaching the portal's 'system view' is concatenated into a SQL SELECT statement without proper escaping or parameterization, allowing an attacker to alter the query's logic. Because the injection sits in a SELECT context and the CVSS vector marks only confidentiality as impacted (VC:H, VI:N, VA:N), the practical effect is unauthorized reading of backend database records rather than data modification or destruction. No CPE strings were provided in the source data; affected products were enumerated from the ENISA EUVD version list rather than NVD CPE configurations.

RemediationAI

Consult CERT@VDE advisory VDE-2026-044 (https://www.certvde.com/en/advisories/VDE-2026-044/) for the vendor-supplied fixed release; no exact patched version number was present in the available data, and since 2.20.0 is the highest affected version a remediated build would be a later release, but that should be confirmed against the advisory rather than assumed. Because no fixed version is independently confirmed here, apply compensating controls in the interim: restrict network reachability of the portal so the web interface is not exposed to the public internet (place it behind a VPN or IP allowlist), which reduces the pool of potential attackers but may complicate legitimate remote technician access; tighten account provisioning and remove or downgrade unnecessary low-privilege accounts, since exploitation per CVSS requires authenticated access (PR:L); and deploy a web application firewall with SQL-injection signatures in front of the portal, accepting that WAF rules can be bypassed and may generate false positives. Monitor portal and database logs for anomalous SELECT activity or errors originating from the 'system view'. Because impact is confidentiality-only, prioritize protection of sensitive records reachable through the portal database.

Share

EUVD-2026-32145 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy