Skip to main content

Severity by source

Vendor (CERTVDE) PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (CERTVDE) · only source for this CVE.

CVSS VectorVendor: CERTVDE

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
Analysis Updated
Jun 03, 2026 - 13:28 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 03, 2026 - 13:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 03, 2026 - 13:22 vuln.today
cvss_changed
CVSS changed
Jun 03, 2026 - 13:22 NVD
9.8 (CRITICAL) 9.3 (CRITICAL)
Analysis Generated
Jun 03, 2026 - 12:53 vuln.today

DescriptionCVE.org

An unauthenticated remote attacker can recover a default, hard coded password from a firmware image and thus gain full access to all affected devices.

AnalysisAI

Credential disclosure in MBS industrial protocol gateways (Single-A, Double-A, Single-X, and Double-X product families) allows remote unauthenticated attackers to extract a hard-coded default password embedded in the firmware image and use it to obtain full administrative control of any affected device. With a CVSS 4.0 score of 9.3 and the vulnerability reported through CERT@VDE under advisory VDE-2026-039, the issue is severe because the recovered credential is shared across the device line, but at the time of analysis there is no public exploit identified and the vulnerability is not listed in CISA KEV.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain MBS firmware image
Delivery
Extract filesystem and binaries
Exploit
Recover hard-coded admin password
Execution
Locate reachable gateway management interface
Persist
Authenticate remotely with default credential
Impact
Manipulate bridged fieldbus traffic and pivot into OT network

Vulnerability AssessmentAI

Exploitation Exploitation requires network reachability to the management interface of an affected MBS gateway (Single-A, Double-A Profibus/X-Link, Single-X, or Double-X CAN/DALI/KNX/LON/M-Bus/Profinet) and one-time access to a firmware image of the product line to extract the embedded default password - the CVSS 4.0 vector confirms no authentication (PR:N), no user interaction (UI:N), and low attack complexity (AC:L), so once the credential is recovered any reachable device is exploitable against its default configuration. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector AV:N/AC:L/AT:N/PR:N/UI:N with VC:H/VI:H/VA:H reflects a worst-case profile: network reachable, no authentication, no user interaction, and full confidentiality/integrity/availability impact on the vulnerable component, which is consistent with the 9.3 critical rating. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker downloads or otherwise obtains an MBS gateway firmware image, extracts the filesystem, and recovers the hard-coded administrative password through static analysis of binaries or configuration files. They then scan customer or industrial networks for reachable MBS Single-A/Double-A/Single-X/Double-X management interfaces and log in remotely with the recovered credential to take full control of the gateway, allowing manipulation of bridged fieldbus traffic (Profibus, Profinet, KNX, DALI, LON, M-Bus, CAN) and pivoting into the OT network; no public exploit is identified at time of analysis, but the technique requires only commodity reverse-engineering skill.
Remediation Patch status is not explicitly confirmed in the provided data - refer to the CERT@VDE advisory at https://www.certvde.com/en/advisories/VDE-2026-039/ for the vendor-released firmware version and apply it to every affected Single-A, Double-A, Single-X, and Double-X gateway as soon as it is published. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all deployed MBS gateway instances; isolate affected devices from external networks and revoke remote administrative access. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-35082 HIGH
8.7 Jun 03

Path traversal in MBS industrial gateway products (Single-A, Double-A, Single-X, Double-X series) allows authenticated r

CVE-2026-35085 HIGH
8.7 Jun 03

Privilege escalation to root in MBS Single-A, Double-A, Single-X, and Double-X industrial gateway product lines allows a

CVE-2026-35084 HIGH
8.7 Jun 03

Privilege escalation to root via stack buffer overflow in dali-devconfig affects MBS gateway products including Single-A

CVE-2026-35083 HIGH
8.7 Jun 03

Privilege escalation to root in MBS industrial protocol gateways (Single-A, Double-A, Single-X, Double-X product lines c

CVE-2026-35080 HIGH
7.2 Jun 03

Arbitrary file deletion in MBS GmbH universal gateway (UGW) products allows authenticated remote users to remove files o

CVE-2026-35079 HIGH
7.2 Jun 03

Arbitrary file deletion in MBS Universal Gateway (UGW) products allows authenticated remote attackers with low-privilege

CVE-2026-35078 HIGH
7.2 Jun 03

Arbitrary file deletion in MBS Universal Gateway (UGW) product line allows authenticated remote attackers to delete loca

CVE-2026-35077 HIGH
7.2 Jun 03

Arbitrary file deletion in MBS Universal Gateway (UGW) product family allows authenticated remote attackers to remove an

CVE-2026-35076 HIGH
7.2 Jun 03

Arbitrary file deletion in MBS GmbH industrial gateway products (single-a, double-a, single-x, double-x variants across

CVE-2026-35081 HIGH
7.2 Jun 03

Privilege escalation / denial of service in MBS Universal Gateway (UGW) product family allows an authenticated low-privi

Share

EUVD-2026-34071 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy