Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (CERTVDE) · only source for this CVE.
CVSS VectorVendor: CERTVDE
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
The ugw-restore method allows a remote attacker with user privileges to delete arbitrary local files due to insufficient validation of user-controlled input.
AnalysisAI
Arbitrary file deletion in MBS Universal Gateway (UGW) products allows authenticated remote attackers with low-privilege user accounts to delete arbitrary files on the device by abusing the ugw-restore method, which fails to validate user-controlled path input. The vulnerability affects multiple MBS gateway variants (Single-A, Double-A Profibus/X-Link, Single-X, and Double-X CAN/DALI/KNX/LON/M-Bus/Profinet bridges) used in industrial fieldbus integration. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must (a) have network reachability to the MBS gateway's management interface where the ugw-restore method is exposed and (b) hold valid low-privilege user credentials on the device (CVSS PR:L) - anonymous exploitation is not indicated. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N) indicates network-reachable, low-complexity exploitation requiring only low-privilege authenticated access and no user interaction, with high impact to integrity and availability (VI:H/VA:H) and no confidentiality impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has obtained or been granted a low-privilege user account on an MBS gateway - for example a contractor account, a shared operator credential, or one harvested via phishing of a building-automation integrator - authenticates to the device's management interface over the network and invokes the ugw-restore method with a path-traversal payload that points at critical configuration, firmware, or system files. The device deletes the targeted files, which can corrupt gateway configuration, disable fieldbus communication, or render the unit unbootable, causing loss of automation control over connected Profibus, KNX, LON, DALI, M-Bus, or Profinet segments. … |
| Remediation | Patch status is not enumerated in the supplied data - no vendor-released patched version is independently confirmed at time of analysis, so administrators must consult the CERT@VDE advisory at https://www.certvde.com/en/advisories/VDE-2026-039/ for the fixed firmware revision and apply it to each affected MBS gateway model in inventory. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Audit all MBS UGW deployments to identify affected models (Single-A, Double-A Profibus/X-Link, Single-X, Double-X CAN/DALI/KNX/LON/M-Bus/Profinet) and document installed firmware versions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Credential disclosure in MBS industrial protocol gateways (Single-A, Double-A, Single-X, and Double-X product families)
Path traversal in MBS industrial gateway products (Single-A, Double-A, Single-X, Double-X series) allows authenticated r
Privilege escalation to root in MBS Single-A, Double-A, Single-X, and Double-X industrial gateway product lines allows a
Privilege escalation to root via stack buffer overflow in dali-devconfig affects MBS gateway products including Single-A
Privilege escalation to root in MBS industrial protocol gateways (Single-A, Double-A, Single-X, Double-X product lines c
Arbitrary file deletion in MBS GmbH universal gateway (UGW) products allows authenticated remote users to remove files o
Arbitrary file deletion in MBS Universal Gateway (UGW) product line allows authenticated remote attackers to delete loca
Arbitrary file deletion in MBS Universal Gateway (UGW) product family allows authenticated remote attackers to remove an
Arbitrary file deletion in MBS GmbH industrial gateway products (single-a, double-a, single-x, double-x variants across
Privilege escalation / denial of service in MBS Universal Gateway (UGW) product family allows an authenticated low-privi
Same weakness CWE-73 – External Control of File Name or Path
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34075
GHSA-9rf2-8ppr-jwp6