Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (CERTVDE) · only source for this CVE.
CVSS VectorVendor: CERTVDE
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
A remote attacker with user privileges can exploit a stack buffer overflow in gdv-serverconfig to gain full system access as root.
AnalysisAI
Privilege escalation to root in MBS Single-A, Double-A, Single-X, and Double-X industrial gateway product lines allows authenticated remote attackers to corrupt stack memory in the gdv-serverconfig service and seize full system control. The flaw, reported by CERT@VDE and tracked as CVE-2026-35085 with a CVSS 4.0 score of 8.7 (High), affects multiple fieldbus variants (Profibus, Profinet, KNX, LON, DALI, M-Bus, CAN, X-Link). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires (1) network reachability to the gdv-serverconfig service on an affected MBS Single-A, Double-A, Single-X, or Double-X gateway, and (2) valid user-level credentials on the device (CVSS PR:L) - the flaw cannot be triggered fully unauthenticated. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H) describes a network-reachable, low-complexity flaw requiring only low-privileged credentials and no user interaction, with high confidentiality, integrity, and availability impact - a realistic priority for any operator exposing these gateways beyond a strictly segmented OT enclave. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has obtained valid low-privileged credentials - for example through phishing an automation engineer, reusing a shared HMI password, or pivoting from a compromised engineering workstation - connects to the gdv-serverconfig service on an MBS gateway over the OT network and submits a configuration request containing an oversized field crafted to overwrite the saved return address on the stack. Execution redirects into attacker-controlled shellcode running as root, granting full control of the gateway and the ability to manipulate Profibus/Profinet/KNX traffic to downstream PLCs and field devices. … |
| Remediation | No vendor-released patch version is identified in the supplied data; consult the CERT@VDE advisory VDE-2026-039 at https://www.certvde.com/en/advisories/VDE-2026-039/ for the authoritative fixed firmware versions and apply them across all affected MBS Single-A, Double-A, Single-X, and Double-X variants. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Complete inventory of all affected MBS gateway models and versions in your operational technology environment; segment network access to these appliances and document current remote-access exposure. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Credential disclosure in MBS industrial protocol gateways (Single-A, Double-A, Single-X, and Double-X product families)
Path traversal in MBS industrial gateway products (Single-A, Double-A, Single-X, Double-X series) allows authenticated r
Privilege escalation to root via stack buffer overflow in dali-devconfig affects MBS gateway products including Single-A
Privilege escalation to root in MBS industrial protocol gateways (Single-A, Double-A, Single-X, Double-X product lines c
Arbitrary file deletion in MBS GmbH universal gateway (UGW) products allows authenticated remote users to remove files o
Arbitrary file deletion in MBS Universal Gateway (UGW) products allows authenticated remote attackers with low-privilege
Arbitrary file deletion in MBS Universal Gateway (UGW) product line allows authenticated remote attackers to delete loca
Arbitrary file deletion in MBS Universal Gateway (UGW) product family allows authenticated remote attackers to remove an
Arbitrary file deletion in MBS GmbH industrial gateway products (single-a, double-a, single-x, double-x variants across
Privilege escalation / denial of service in MBS Universal Gateway (UGW) product family allows an authenticated low-privi
Same weakness CWE-121 – Stack-based Buffer Overflow
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34081
GHSA-57rp-874r-xvf4