Skip to main content

mbCONNECT24 EUVDEUVD-2026-32161

| CVE-2026-40832 HIGH
SQL Injection (CWE-89)
2026-05-27 info@cert.vde.com GHSA-f8hp-x45q-wmc9
7.1
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
May 27, 2026 - 19:56 vuln.today

DescriptionCVE.org

An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getDevicegroups function due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.

AnalysisAI

SQL injection in the getDevicegroups function of MB connect line / Red Lion industrial remote-access products (mbCONNECT24, myREX24V2 and their hosted mymbCONNECT24 / myREX24V2.virtual variants, all versions up to and including 2.20.0) lets a low-privileged remote user inject crafted input into a SQL SELECT statement and read arbitrary database contents, yielding a total loss of confidentiality (CVSS 4.0 base 7.1, VC:H, VI:N, VA:N). The issue was reported by CERT@VDE and published as advisory VDE-2026-044 / EUVD-2026-32161; no public exploit has been identified and EPSS is very low (0.03%, 11th percentile), indicating no observed widespread exploitation. Note a source discrepancy: the description labels the flaw 'unauthenticated' while the CVSS vector requires low privileges (PR:L) - this should be verified with the vendor.

Technical ContextAI

The affected software is the MB connect line (now Red Lion) family of industrial remote-maintenance and secure-access portals - mbCONNECT24 and myREX24V2, plus their managed/hosted editions mymbCONNECT24 and myREX24V2.virtual - which provide VPN-based remote access and device management for OT/ICS equipment. The root cause is CWE-89 (improper neutralization of special elements used in an SQL command): the server-side getDevicegroups function concatenates attacker-influenced input into a SQL SELECT query without proper sanitization or parameterization, so crafted input alters the query structure. Because the impacted query is a SELECT, the vulnerability exposes read access to backend data (device groups and potentially related portal records) rather than write/modify operations, consistent with the confidentiality-only impact in the CVSS vector. No CPE 2.3 strings were supplied; affected products are identified only by the EUVD vendor/product/version strings.

RemediationAI

Consult the CERT@VDE advisory VDE-2026-044 (https://www.certvde.com/en/advisories/VDE-2026-044/) and upgrade to the vendor's fixed release above 2.20.0; no exact fixed version number was present in the available data, so the patched version must be confirmed from that advisory rather than assumed (no vendor-released patch version is independently confirmed here). Until a confirmed fixed build is installed, reduce exposure by restricting network reachability of the portal - place it behind a VPN or firewall and limit access to known management IP ranges, accepting the trade-off that legitimate remote technicians may need allowlisting; tighten and audit low-privilege portal accounts and disable unused ones, since the CVSS vector indicates a low-privilege account is the exploitation prerequisite; and enable any available web application firewall / SQL-injection filtering in front of the application, recognizing that WAF rules can be bypassed and are only a stopgap. Because impact is confidentiality-only, also monitor portal and database logs for anomalous getDevicegroups requests or unusual SELECT patterns.

Share

EUVD-2026-32161 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy