VDE-2025-034
Last update
06/24/2025 12:00
Published at
06/24/2025 12:00
Vendor(s)
MB connect line GmbH
External ID
VDE-2025-034
CSAF Document
Summary
The mb24api endpoint reachable when connected via VPN is missing authentication for sensitive functions. This can lead to information disclosure of user- and device names and to DoS.
Impact
Some limited sensitive data can be accessed and a DoS can be performed targeting a specific user/device.
Affected Product(s)
| Model no. | Product name | Affected versions |
|---|---|---|
| mbCONNECT24 | Firmware <2.18.0 | |
| mymbCONNECT24 | Firmware <2.18.0 |
Vulnerabilities
Expand / Collapse all
Published
09/22/2025 14:57
Severity
Weakness
Missing Authentication for Critical Function (CWE-306)
Summary
An unauthenticated remote attacker can obtain limited sensitive information and/or DoS the device due to missing authentication for critical function.
References
Remediation
Update to latest version: 2.18.0
Revision History
| Version | Date | Summary |
|---|---|---|
| 1 | 06/24/2025 12:00 | Initial revision. |