Skip to main content

Mymbconnect24

24 CVEs product

Monthly

CVE-2026-10521 HIGH PATCH This Week

Privileged remote modification of critical program parameters in MB connect line mbCONNECT24 and mymbCONNECT24 allows authenticated high-privilege attackers to reach a hidden configuration method that should be inaccessible to any user, resulting in total compromise of confidentiality, integrity, and availability. No public exploit identified at time of analysis, and the issue was coordinated through CERT@VDE under advisory VDE-2026-068.

Information Disclosure Mbconnect24 Mymbconnect24
NVD VulDB
CVSS 4.0
8.6
EPSS
0.3%
CVE-2026-33617 MEDIUM This Month

Unauthenticated remote attackers can access configuration files containing database credentials in MB Connect Line mbconnect24 and mymbconnect24 products, resulting in disclosure of sensitive authentication material. Although CVSS rates this as 5.3 (low severity confidentiality impact), the practical risk is limited because the disclosed credentials cannot be directly exploited to compromise additional systems-no exposed endpoint exists to leverage them. No public exploit code or active exploitation has been identified at the time of analysis.

Information Disclosure Mbconnect24 Mymbconnect24
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-33616 HIGH This Week

Blind SQL injection in MB Connect Line mbCONNECT24 and mymbCONNECT24 allows unauthenticated remote attackers to extract sensitive database contents via the mb24api endpoint. The vulnerability enables complete confidentiality breach through crafted SQL SELECT commands with CVSS 7.5 (High). EPSS data not available; no public exploit identified at time of analysis. Vendor advisory published by CERT@VDE with remediation guidance.

SQLi Mbconnect24 Mymbconnect24
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-33615 CRITICAL Act Now

SQL injection in MB Connect Line's mbCONNECT24 and mymbCONNECT24 platforms allows unauthenticated remote attackers to execute arbitrary SQL commands via the setinfo endpoint, potentially destroying database integrity and causing complete service disruption. The vulnerability stems from insufficient input validation in SQL UPDATE operations. With CVSS 9.1 (Critical), CVSS vector PR:N confirms no authentication required, and attack complexity is low (AC:L), making this trivially exploitable. No public exploit identified at time of analysis, though the technical details disclosed in CERT@VDE advisory provide sufficient information for rapid weaponization.

SQLi Mbconnect24 Mymbconnect24
NVD
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-33614 HIGH This Week

SQL injection in MB Connect Line's mbCONNECT24 and mymbCONNECT24 products allows unauthenticated remote attackers to extract sensitive data through the getinfo endpoint. The vulnerability permits direct database queries without authentication, enabling complete confidentiality breach of stored information. EPSS and KEV data not provided; exploitation status unknown beyond technical disclosure by CERT@VDE.

SQLi Mbconnect24 Mymbconnect24
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-33613 HIGH This Week

Remote code execution in MB Connect Line mbCONNECT24 and mymbCONNECT24 allows high-privileged authenticated attackers to achieve full system compromise through command injection in the generateSrpArray function. Exploitation requires the attacker to first write arbitrary data to the user table via another vulnerability, establishing a chained attack scenario. No public exploit identified at time of analysis, though the low attack complexity (AC:L) indicates straightforward exploitation once database write access is obtained.

Command Injection Mbconnect24 Mymbconnect24
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-32969 HIGH This Week

A pre-authentication blind SQL injection vulnerability exists in the userinfo endpoint's authentication method, allowing unauthenticated remote attackers to extract sensitive data from backend databases without any credentials. Affected products include MB Connect Line's mbCONNECT24 and mymbCONNECT24 industrial remote access solutions, as well as Helmholz's myREX24v2 and myREX24v2.virtual platforms used in industrial automation environments. With a CVSS score of 7.5 and complete loss of confidentiality, this represents a significant risk to industrial control systems, though no active exploitation (KEV) or public POC has been reported yet.

SQLi Mb Connect Line Mbconnect24 Mymbconnect24 Myrex24V2 Myrex24V2 Virtual
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-32968 CRITICAL Act Now

This is a critical OS command injection vulnerability in the com_mb24sysapi module of several MB Connect Line and Helmholz industrial remote access products. An unauthenticated remote attacker can execute arbitrary OS commands without any user interaction, leading to complete system compromise. This is a variant of CVE-2020-10383, suggesting similar attack patterns may be applicable, and the 9.8 CVSS score reflects the severe nature of network-accessible, authentication-free remote code execution in industrial control system components.

Command Injection Mb Connect Line Mbconnect24 Mymbconnect24 Myrex24V2 Myrex24V2 Virtual
NVD VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2024-45273 HIGH This Week

An unauthenticated local attacker can decrypt the devices config file and therefore compromise the device due to a weak implementation of the encryption used. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Mbnet Mini Firmware Myrex24 V2 Virtual Server Rex 300 Firmware Rex 200 Firmware +11
NVD
CVSS 3.1
7.8
EPSS
0.1%
CVE-2024-45272 HIGH This Week

An unauthenticated remote attacker can perform a brute-force attack on the credentials of the remote service portal with a high chance of success, resulting in connection lost. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Myrex24 V2 Virtual Server Rex 300 Firmware Rex 200 Firmware Rex 250 Firmware +9
NVD
CVSS 3.1
7.5
EPSS
0.6%
CVE-2023-4834 MEDIUM This Month

In Red Lion Europe mbCONNECT24 and mymbCONNECT24 and Helmholz myREX24 and myREX24.virtual up to and including 2.14.2 an improperly implemented access validation allows an authenticated, low. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Myrex24 Myrex24 Virtual Mbconnect24 Mymbconnect24
NVD
CVSS 3.1
4.3
EPSS
0.3%
CVE-2023-1779 MEDIUM This Month

Exposure of Sensitive Information to an unauthorized actor vulnerability in MB Connect Lines mbCONNECT24, mymbCONNECT24 and Helmholz' myREX24 and myREX24.virtual in versions <=2.13.3 allow an. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Mbconnect24 Mymbconnect24
NVD
CVSS 3.1
4.3
EPSS
0.5%
CVE-2023-0985 HIGH This Week

An Authorization Bypass vulnerability was found in MB Connect Lines mbCONNECT24, mymbCONNECT24 and Helmholz' myREX24 and myREX24.virtual version <= 2.13.3. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Mbconnect24 Mymbconnect24
NVD
CVSS 3.1
8.8
EPSS
0.8%
CVE-2022-22520 MEDIUM This Month

A remote, unauthenticated attacker can enumerate valid users by sending specific requests to the webservice of MB connect line mymbCONNECT24, mbCONNECT24 and Helmholz myREX24 and myREX24.virtual in. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mbconnect24 Mymbconnect24 Myrex24 Myrex24 Virtual
NVD
CVSS 3.1
5.3
EPSS
0.8%
CVE-2021-34580 HIGH This Week

In mymbCONNECT24, mbCONNECT24 <= 2.9.0 an unauthenticated user can enumerate valid backend users by checking what kind of response the server sends for crafted invalid login attempts. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mbconnect24 Mymbconnect24
NVD
CVSS 3.1
7.5
EPSS
1.0%
CVE-2021-34575 HIGH This Week

In MB connect line mymbCONNECT24, mbCONNECT24 in versions <= 2.8.0 an unauthenticated user can enumerate valid users by checking what kind of response the server sends. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mbconnect24 Mymbconnect24
NVD
CVSS 3.1
7.5
EPSS
1.0%
CVE-2021-34574 MEDIUM This Month

In MB connect line mymbCONNECT24, mbCONNECT24 and Helmholz myREX24 and myREX24.virtual in all versions through v2.11.2 an authenticated attacker can change the password of his account into a new. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Mbconnect24 Mymbconnect24 Myrex24 Myrex24 Virtual
NVD
CVSS 3.1
4.3
EPSS
0.7%
CVE-2020-24568 MEDIUM This Month

An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.1. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Mbconnect24 Mymbconnect24
NVD
CVSS 3.1
6.5
EPSS
0.8%
CVE-2020-24570 MEDIUM This Month

An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.1. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF CSRF Mbconnect24 Mymbconnect24
NVD
CVSS 3.1
6.5
EPSS
0.5%
CVE-2020-24569 MEDIUM This Month

An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.1. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Mbconnect24 Mymbconnect24
NVD
CVSS 3.1
4.3
EPSS
0.7%
CVE-2020-10384 HIGH This Week

An issue was discovered in the MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 software in all versions through 2.6.1. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation Mbconnect24 Mymbconnect24
NVD
CVSS 3.1
7.8
EPSS
0.3%
CVE-2020-10383 CRITICAL PATCH Act Now

An issue was discovered in the MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 software in all versions through 2.5.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

RCE Mbconnect24 Mymbconnect24
NVD
CVSS 3.1
9.8
EPSS
1.8%
CVE-2020-10382 HIGH PATCH This Week

An issue was discovered in the MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 software in all versions through 2.5.0. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

RCE Mbconnect24 Mymbconnect24
NVD
CVSS 3.1
8.8
EPSS
1.9%
CVE-2020-10381 MEDIUM PATCH This Month

An issue was discovered in the MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 software in all versions through 2.5.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This SQL Injection vulnerability could allow attackers to execute arbitrary SQL commands against the database.

SQLi Mbconnect24 Mymbconnect24
NVD
CVSS 3.1
5.3
EPSS
1.1%
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Privileged remote modification of critical program parameters in MB connect line mbCONNECT24 and mymbCONNECT24 allows authenticated high-privilege attackers to reach a hidden configuration method that should be inaccessible to any user, resulting in total compromise of confidentiality, integrity, and availability. No public exploit identified at time of analysis, and the issue was coordinated through CERT@VDE under advisory VDE-2026-068.

Information Disclosure Mbconnect24 Mymbconnect24
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated remote attackers can access configuration files containing database credentials in MB Connect Line mbconnect24 and mymbconnect24 products, resulting in disclosure of sensitive authentication material. Although CVSS rates this as 5.3 (low severity confidentiality impact), the practical risk is limited because the disclosed credentials cannot be directly exploited to compromise additional systems-no exposed endpoint exists to leverage them. No public exploit code or active exploitation has been identified at the time of analysis.

Information Disclosure Mbconnect24 Mymbconnect24
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Blind SQL injection in MB Connect Line mbCONNECT24 and mymbCONNECT24 allows unauthenticated remote attackers to extract sensitive database contents via the mb24api endpoint. The vulnerability enables complete confidentiality breach through crafted SQL SELECT commands with CVSS 7.5 (High). EPSS data not available; no public exploit identified at time of analysis. Vendor advisory published by CERT@VDE with remediation guidance.

SQLi Mbconnect24 Mymbconnect24
NVD
EPSS 0% CVSS 9.1
CRITICAL Act Now

SQL injection in MB Connect Line's mbCONNECT24 and mymbCONNECT24 platforms allows unauthenticated remote attackers to execute arbitrary SQL commands via the setinfo endpoint, potentially destroying database integrity and causing complete service disruption. The vulnerability stems from insufficient input validation in SQL UPDATE operations. With CVSS 9.1 (Critical), CVSS vector PR:N confirms no authentication required, and attack complexity is low (AC:L), making this trivially exploitable. No public exploit identified at time of analysis, though the technical details disclosed in CERT@VDE advisory provide sufficient information for rapid weaponization.

SQLi Mbconnect24 Mymbconnect24
NVD
EPSS 0% CVSS 7.5
HIGH This Week

SQL injection in MB Connect Line's mbCONNECT24 and mymbCONNECT24 products allows unauthenticated remote attackers to extract sensitive data through the getinfo endpoint. The vulnerability permits direct database queries without authentication, enabling complete confidentiality breach of stored information. EPSS and KEV data not provided; exploitation status unknown beyond technical disclosure by CERT@VDE.

SQLi Mbconnect24 Mymbconnect24
NVD
EPSS 0% CVSS 7.2
HIGH This Week

Remote code execution in MB Connect Line mbCONNECT24 and mymbCONNECT24 allows high-privileged authenticated attackers to achieve full system compromise through command injection in the generateSrpArray function. Exploitation requires the attacker to first write arbitrary data to the user table via another vulnerability, establishing a chained attack scenario. No public exploit identified at time of analysis, though the low attack complexity (AC:L) indicates straightforward exploitation once database write access is obtained.

Command Injection Mbconnect24 Mymbconnect24
NVD
EPSS 0% CVSS 7.5
HIGH This Week

A pre-authentication blind SQL injection vulnerability exists in the userinfo endpoint's authentication method, allowing unauthenticated remote attackers to extract sensitive data from backend databases without any credentials. Affected products include MB Connect Line's mbCONNECT24 and mymbCONNECT24 industrial remote access solutions, as well as Helmholz's myREX24v2 and myREX24v2.virtual platforms used in industrial automation environments. With a CVSS score of 7.5 and complete loss of confidentiality, this represents a significant risk to industrial control systems, though no active exploitation (KEV) or public POC has been reported yet.

SQLi Mb Connect Line Mbconnect24 Mymbconnect24 +2
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

This is a critical OS command injection vulnerability in the com_mb24sysapi module of several MB Connect Line and Helmholz industrial remote access products. An unauthenticated remote attacker can execute arbitrary OS commands without any user interaction, leading to complete system compromise. This is a variant of CVE-2020-10383, suggesting similar attack patterns may be applicable, and the 9.8 CVSS score reflects the severe nature of network-accessible, authentication-free remote code execution in industrial control system components.

Command Injection Mb Connect Line Mbconnect24 Mymbconnect24 +2
NVD VulDB
EPSS 0% CVSS 7.8
HIGH This Week

An unauthenticated local attacker can decrypt the devices config file and therefore compromise the device due to a weak implementation of the encryption used. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Mbnet Mini Firmware Myrex24 V2 Virtual Server +13
NVD
EPSS 1% CVSS 7.5
HIGH This Week

An unauthenticated remote attacker can perform a brute-force attack on the credentials of the remote service portal with a high chance of success, resulting in connection lost. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Myrex24 V2 Virtual Server Rex 300 Firmware +11
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

In Red Lion Europe mbCONNECT24 and mymbCONNECT24 and Helmholz myREX24 and myREX24.virtual up to and including 2.14.2 an improperly implemented access validation allows an authenticated, low. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Myrex24 Myrex24 Virtual +2
NVD
EPSS 1% CVSS 4.3
MEDIUM This Month

Exposure of Sensitive Information to an unauthorized actor vulnerability in MB Connect Lines mbCONNECT24, mymbCONNECT24 and Helmholz' myREX24 and myREX24.virtual in versions <=2.13.3 allow an. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Mbconnect24 Mymbconnect24
NVD
EPSS 1% CVSS 8.8
HIGH This Week

An Authorization Bypass vulnerability was found in MB Connect Lines mbCONNECT24, mymbCONNECT24 and Helmholz' myREX24 and myREX24.virtual version <= 2.13.3. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Mbconnect24 Mymbconnect24
NVD
EPSS 1% CVSS 5.3
MEDIUM This Month

A remote, unauthenticated attacker can enumerate valid users by sending specific requests to the webservice of MB connect line mymbCONNECT24, mbCONNECT24 and Helmholz myREX24 and myREX24.virtual in. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mbconnect24 Mymbconnect24 +2
NVD
EPSS 1% CVSS 7.5
HIGH This Week

In mymbCONNECT24, mbCONNECT24 <= 2.9.0 an unauthenticated user can enumerate valid backend users by checking what kind of response the server sends for crafted invalid login attempts. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mbconnect24 Mymbconnect24
NVD
EPSS 1% CVSS 7.5
HIGH This Week

In MB connect line mymbCONNECT24, mbCONNECT24 in versions <= 2.8.0 an unauthenticated user can enumerate valid users by checking what kind of response the server sends. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Mbconnect24 Mymbconnect24
NVD
EPSS 1% CVSS 4.3
MEDIUM This Month

In MB connect line mymbCONNECT24, mbCONNECT24 and Helmholz myREX24 and myREX24.virtual in all versions through v2.11.2 an authenticated attacker can change the password of his account into a new. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Mbconnect24 Mymbconnect24 +2
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.1. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Mbconnect24 Mymbconnect24
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.1. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF CSRF Mbconnect24 +1
NVD
EPSS 1% CVSS 4.3
MEDIUM This Month

An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.1. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Mbconnect24 Mymbconnect24
NVD
EPSS 0% CVSS 7.8
HIGH This Week

An issue was discovered in the MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 software in all versions through 2.6.1. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation Mbconnect24 Mymbconnect24
NVD
EPSS 2% CVSS 9.8
CRITICAL PATCH Act Now

An issue was discovered in the MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 software in all versions through 2.5.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

RCE Mbconnect24 Mymbconnect24
NVD
EPSS 2% CVSS 8.8
HIGH PATCH This Week

An issue was discovered in the MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 software in all versions through 2.5.0. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

RCE Mbconnect24 Mymbconnect24
NVD
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

An issue was discovered in the MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 software in all versions through 2.5.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This SQL Injection vulnerability could allow attackers to execute arbitrary SQL commands against the database.

SQLi Mbconnect24 Mymbconnect24
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy