Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the admin.mbnetj.php files UpdateParam function due to improper neutralization of special elements in a SQL UPDATE command allowing for reading the whole database and changing values in a non critical table. This can result in a total loss of confidentiality and some loss of integrity.
AnalysisAI
SQL injection in the UpdateParam function of admin.mbnetj.php in MB connect line's mbCONNECT24, mymbCONNECT24, myREX24V2 and myREX24V2.virtual remote-maintenance portals (versions up to and including 2.20.0) lets a high-privileged remote attacker tamper with a SQL UPDATE command, reading the entire database and modifying values in a non-critical table. The flaw was reported by CERT@VDE (advisory VDE-2026-044) and carries CVSS 4.0 base 7.0. There is no public exploit identified at time of analysis, EPSS is very low (0.03%, 10th percentile), and CISA SSVC rates exploitation as 'none' - indicating low immediate real-world urgency despite the high impact ceiling.
Technical ContextAI
The affected products are industrial remote-access and remote-maintenance cloud/appliance portals from MB connect line GmbH (the mbCONNECT24 / myREX24 family, including the 'virtual' variant), implemented in PHP as indicated by the input tags (PHP, SQLi). The root cause is CWE-89 (Improper Neutralization of Special Elements used in an SQL Command): the UpdateParam function in admin.mbnetj.php incorporates attacker-influenced input into a SQL UPDATE statement without proper sanitization or parameterization. Because the injection sits in an UPDATE command, the attacker can both exfiltrate data via the query and write into at least one (described as non-critical) table. The EUVD CPE/version data scopes this to all four product editions at versions 0.0.0 through 2.20.0.
RemediationAI
No vendor-released fixed version is identified in the available data; all editions at 2.20.0 and below are listed as affected, so consult CERT@VDE advisory VDE-2026-044 (https://www.certvde.com/en/advisories/VDE-2026-044/) for the patched release and upgrade to it once published. As compensating controls until patched: restrict network access to the administrative interface and the admin.mbnetj.php endpoint to trusted management networks or VPN only (trade-off: legitimate remote admins must connect through that path), tightly limit and audit accounts holding the high privileges the exploit requires since PR:H is in the CVSS vector (trade-off: may slow routine administration), and monitor application/database logs for anomalous UPDATE statements or unexpected reads against the admin endpoint. Because the writable target is described as a non-critical table, integrity exposure is limited, but the full-database read capability means treating any successful exploitation as a confidentiality breach is appropriate.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32159
GHSA-9636-x77x-g7vw