Back to overview

MB connect line: Authenticated unintended access to critical program parameters in mbCONNECT24/mymbCONNECT24

VDE-2026-068
Last update
06/23/2026 13:00
Published at
06/23/2026 13:00
Vendor(s)
MB connect line GmbH
External ID
VDE-2026-068
CSAF Document
Download

Summary

There is a vulnerability in mbCONNECT24/mymbCONNECT24 that allows an authenticated remote attacker to access a hidden configuration method, that should not be accessible by any user, to modify critical program parameters.

Impact

CVE-2026-10521 allows an authenticated remote attacker to modify critical program parameters. This can result in a total loss of confidentiality, integrity and availability.

Affected Product(s)

Model no. Product name Affected versions
MB connect line mbCONNECT24 Firmware 2.20.1, Firmware <2.20.2
mymbCONNECT24 Firmware <2.20.2, Firmware 2.20.1

Vulnerabilities

Expand / Collapse all

Published
06/23/2026 09:45
Severity
7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Weakness
Direct Request ('Forced Browsing') (CWE-425)
Summary

An authenticated remote attacker can access a hidden configuration method, that should not be accessible by any user, to modify critical program parameters. This can result in a total loss of confidentiality, integrity and availability.

References
cve.org | nvd.nist.gov

Remediation

Update the mbCONNECT24/mymbCONNECT24 instance to version 2.20.2.

Acknowledgments

MB connect line GmbH thanks the following parties for their efforts:

Revision History

Version Date Summary
1.0.0 06/23/2026 13:00 Initial revision.