Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the _RemoveRequest function due to improper neutralization of special elements in a SQL DELETE command allowing for reading the whole database and deleting entries in a non critical table. This can result in a total loss of confidentiality and some loss of integrity.
AnalysisAI
SQL injection in the MB connect line remote-maintenance portals mbCONNECT24, myREX24V2, myREX24V2.virtual and mymbCONNECT24 (all versions up to and including 2.20.0) lets a high-privileged remote user manipulate a SQL DELETE statement in the _RemoveRequest function to read the entire backend database and delete rows in a non-critical table. The CVSS 4.0 vector (PR:H) indicates an authenticated, high-privilege account is required despite the description's wording, yielding total confidentiality loss and partial integrity loss. There is no public exploit identified at time of analysis, EPSS is very low (0.03%), and the issue is not listed in CISA KEV.
Technical ContextAI
The flaw is a classic CWE-89 SQL Injection: user-controlled input reaches a SQL DELETE command in the server-side _RemoveRequest function without proper neutralization of special elements (quotes, comment sequences, UNION/sub-select payloads), so the attacker can break out of the intended DELETE and append read operations against arbitrary tables. The affected software is the MB connect line (Red Lion) family of industrial remote-access and remote-maintenance cloud/VPN portals - mbCONNECT24 and the myREX24V2 variants - used to broker secure remote connections to OT/ICS equipment, which is why confidentiality of the central account/connection database is the high-value asset here. No CPE strings were supplied in the input; affected components are identified only by the EUVD product/version list.
RemediationAI
Upgrade to the fixed release identified in CERT@VDE advisory VDE-2026-044 (https://www.certvde.com/en/advisories/VDE-2026-044/); an exact patched version number was not included in the provided data and must be read from that advisory before deployment. Because exploitation requires a high-privilege account, the most effective compensating control until patching is to tightly restrict and audit administrative/high-privilege accounts on the portal and rotate credentials - accepting the operational overhead of stricter admin onboarding. Additionally, place the portal behind network segmentation and limit management access to known administrator source IPs (trade-off: legitimate remote admins must connect from approved networks/VPN), and enable database and request logging on the _RemoveRequest path to detect anomalous DELETE/UNION activity. Avoid exposing the management interface directly to the public internet where feasible.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32156
GHSA-c9g6-jwcc-x59m