Skip to main content

mbNET EUVDEUVD-2026-32151

| CVE-2026-40852 HIGH
OS Command Injection (CWE-78)
2026-05-27 info@cert.vde.com GHSA-4334-w3q6-m8g5
7.2
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.2 HIGH
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
May 27, 2026 - 20:48 vuln.today

DescriptionCVE.org

A highly authenticated attacker can alter the config generator injecting a payload into future created configurations. The device is not correctly checking this configuration value before passing it to an system execute leading to code execution. This can result in a total loss of confidentiality, integrity and availability.

AnalysisAI

OS command injection in MB connect line / Helmholz mbNET and REX industrial remote-maintenance routers (mbNET.mini up to 3.0.2, REX200/250 and mbNET/mbNET.rokey up to 8.4.4, REX100 up to 3.0.2) lets a high-privilege authenticated user poison the device's configuration generator so that a tainted value is later passed unsanitized to a system execute call, producing arbitrary command execution with total loss of confidentiality, integrity and availability. The flaw was reported through CERT@VDE (advisory VDE-2026-054) and tracked as EUVD-2026-32151. There is no public exploit identified at time of analysis, EPSS is low (0.07%, 22nd percentile), and CISA's SSVC framework rates current exploitation as none.

Technical ContextAI

The weakness is classic CWE-78 (Improper Neutralization of Special Elements used in an OS Command). The affected devices are industrial VPN/remote-maintenance gateways from MB connect line (now part of Helmholz) - the mbNET, mbNET.mini, mbNET.rokey and REX100/REX200/REX250 router families widely deployed for secure remote access to machinery and PLCs in OT/ICS environments. The vulnerable component is the configuration generator: an attacker-influenced configuration value is written into configurations the device later builds, and the device then hands that value to a shell/system execute primitive without proper validation or neutralization, allowing injected commands to run in the device's underlying OS context. No CPE strings were supplied in the input; affected products are taken from the EUVD version list rather than NVD CPE data.

RemediationAI

Patch available per vendor advisory - consult CERT@VDE VDE-2026-054 (https://www.certvde.com/en/advisories/VDE-2026-054/) for the exact fixed firmware versions for your specific model (mbNET.mini, REX100, REX200/250, mbNET/mbNET.rokey), as a released patched version is not independently confirmed from the supplied data and no exact fix version is stated in the input. Because exploitation requires high administrative privileges, the most effective compensating controls focus on locking down who can reach and administer the device: restrict access to the management/web configuration interface to a dedicated admin VLAN or jump host (trade-off: remote admins must connect through that path), enforce strong unique credentials and disable default or shared admin accounts to reduce the chance an attacker obtains the PR:H access the flaw needs, and tightly limit and audit who can modify the configuration generator. Do not expose the device management interface directly to the internet; place these OT gateways behind firewall rules that permit management only from trusted sources (trade-off: convenience of direct remote management is reduced). Monitor configuration changes and shell/command activity on the devices for anomalous values introduced into generated configurations.

Share

EUVD-2026-32151 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy