Summary
Multiple vulnerabilities have been discovered in MB connect line products that could allow RCE or unauthorized file access. CVE-2024-45272 affects the mbCONNECT24 and mymbCONNECT24 products, while CVE-2024-45273 affects the mbNET/mbNET.rokey, mbCONNECT24, mymbCONNECT24, mbNET HW1, and mbSPIDER products.
Impact
CVE-2024-45272 allows brute-force attacks against remote credentials with a high probability of success.
CVE-2024-45273 allows undetectable tampering and manipulation of encrypted configuration files.
Affected Product(s)
| Model no. | Product name | Affected versions |
|---|---|---|
| MB connect line mbCONNECT24 | Firmware <=2.16.2 | |
| MB connect line mbNET HW1 | Firmware <=5.1.11 | |
| MB connect line mbNET/mbNET.rokey | Firmware <=8.2.0 | |
| MB connect line mbSPIDER | Firmware <=2.6.5 | |
| MB connect line mymbCONNECT24 | Firmware <=2.16.2 |
Vulnerabilities
Expand / Collapse allAn unauthenticated local attacker can decrypt the devices config file and therefore compromise the device due to a weak implementation of the encryption used.
An unauthenticated remote attacker can perform a brute-force attack on the credentials of the remote service portal with a high chance of success, resulting in connection lost.
Remediation
Update mbNET/mbNET.rokey to the version 8.2.1\
Update mbCONNECT24, mymbCONNECT24 to the version 2.16.3\
Note: mbNET HW1 and mbSPIDER are EOL and will not receive any further updates.
Revision History
| Version | Date | Summary |
|---|---|---|
| 1 | 10/15/2024 10:00 | Initial revision. |
| 2 | 11/06/2024 12:27 | Fix: correct certvde domain, added self-reference |
| 3 | 05/14/2025 14:28 | Fix: version space |