Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (CERTVDE) · only source for this CVE.
CVSS VectorVendor: CERTVDE
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
A remote attacker with user privileges can exploit a stack buffer overflow in dali-devconfig to gain full system access as root.
AnalysisAI
Privilege escalation to root via stack buffer overflow in dali-devconfig affects MBS gateway products including Single-A, Single-X, and the Double-A/Double-X family (Profibus, X-Link, CAN, DALI, KNX, LON, M-Bus, Profinet). A remote attacker holding low-level user credentials can exploit the flaw to gain full system access, with CVSS 4.0 scoring it 8.7 (High). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must hold valid low-privilege user credentials on the target MBS gateway (CVSS PR:L) and must be able to reach the dali-devconfig service over the network (AV:N); no user interaction and no additional attack prerequisites are required (UI:N, AT:N), and attack complexity is low (AC:L). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H) indicates network-reachable, low-complexity exploitation requiring only low-privilege credentials and no user interaction, producing full confidentiality, integrity, and availability impact on the vulnerable component - a profile consistent with the 8.7 High base score. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has obtained valid low-privilege credentials on an MBS gateway - through credential reuse, a phished engineering workstation, or an exposed default account - authenticates to the management interface and submits crafted input to dali-devconfig that overflows a stack buffer. The overflow overwrites the saved return address, redirects execution to attacker-controlled shellcode, and yields a root shell on the gateway, from which the attacker can manipulate fieldbus traffic across Profibus/Profinet/KNX/LON/DALI segments or pivot deeper into the OT network. … |
| Remediation | Patch availability is not explicitly stated in the provided data; consult the CERT@VDE advisory at https://www.certvde.com/en/advisories/VDE-2026-039/ for the vendor-released fixed firmware version for each MBS Single-A, Single-X, Double-A, and Double-X model and upgrade to that build. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify and inventory all MBS gateway units (Single-A, Single-X, Double-A/Double-X models) in production and document their role in facility operations. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Credential disclosure in MBS industrial protocol gateways (Single-A, Double-A, Single-X, and Double-X product families)
Path traversal in MBS industrial gateway products (Single-A, Double-A, Single-X, Double-X series) allows authenticated r
Privilege escalation to root in MBS Single-A, Double-A, Single-X, and Double-X industrial gateway product lines allows a
Privilege escalation to root in MBS industrial protocol gateways (Single-A, Double-A, Single-X, Double-X product lines c
Arbitrary file deletion in MBS GmbH universal gateway (UGW) products allows authenticated remote users to remove files o
Arbitrary file deletion in MBS Universal Gateway (UGW) products allows authenticated remote attackers with low-privilege
Arbitrary file deletion in MBS Universal Gateway (UGW) product line allows authenticated remote attackers to delete loca
Arbitrary file deletion in MBS Universal Gateway (UGW) product family allows authenticated remote attackers to remove an
Arbitrary file deletion in MBS GmbH industrial gateway products (single-a, double-a, single-x, double-x variants across
Privilege escalation / denial of service in MBS Universal Gateway (UGW) product family allows an authenticated low-privi
Same weakness CWE-121 – Stack-based Buffer Overflow
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34080
GHSA-vg85-v4gp-8v33