VDE-2025-035
Last update
06/24/2025 12:00
Published at
06/24/2025 12:00
Vendor(s)
MB connect line GmbH
External ID
VDE-2025-035
CSAF Document
Summary
Two vulnerabilities in mbCONNECT24/mymbCONNECT24 can lead to user enumeration an password bypass.
Impact
CVE-2025-3091: An attacker in possession of the second factor for an user can login as that user without knowledge of the password (first factor)
CVE-2025-3092: An unprotected endpoint can by used to enumerate valid user names.
Affected Product(s)
| Model no. | Product name | Affected versions |
|---|---|---|
| mbCONNECT24 | Firmware <2.16.5, Firmware <2.18.0 | |
| mymbCONNECT24 | Firmware <2.16.5, Firmware <2.18.0 |
Vulnerabilities
Expand / Collapse all
Published
09/22/2025 14:57
Severity
Weakness
Observable Response Discrepancy (CWE-204)
Summary
An unauthenticated remote attacker can enumerate valid user names from an unprotected endpoint.
References
Published
09/22/2025 14:57
Severity
Weakness
Authorization Bypass Through User-Controlled Key (CWE-639)
Summary
An low privileged remote attacker in possession of the second factor for another user can login as that user without knowledge of the other user`s password.
References
Remediation
CVE-2025-3091: Update to latest version: 2.16.5
CVE-2025-3092: Update to latest version: 2.18.0
Revision History
| Version | Date | Summary |
|---|---|---|
| 1 | 06/24/2025 12:00 | Initial revision. |