Vulnerabilities in mbCONNECT24/mymbCONNECT24

VDE-2025-034

Last update

24.06.2025 12:00

Published at

24.06.2025 12:00

Vendor(s)

MB connect line GmbH

External ID

VDE-2025-034

CSAF Document

Download

Summary

The mb24api endpoint reachable when connected via VPN is missing authentication for sensitive functions. This can lead to information disclosure of user- and device names and to DoS.

Impact

Some limited sensitive data can be accessed and a DoS can be performed targeting a specific user/device.

Affected Product(s)

Model no.	Product name	Affected versions
	mbCONNECT24	Firmware <2.18.0
	mymbCONNECT24	Firmware <2.18.0

Vulnerabilities

Expand / Collapse all

Published

24.09.2025 12:42

Severity

8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H

Weakness

Missing Authentication for Critical Function (CWE-306)

Summary

An unauthenticated remote attacker can obtain limited sensitive information and/or DoS the device due to missing authentication for critical function.

References

cve.org | nvd.nist.gov

Remediation

Update to latest version: 2.18.0

Acknowledgments

MB connect line GmbH thanks the following parties for their efforts:

CERT@VDE for coordination (see https://certvde.com )

Revision History

Version	Date	Summary
1	24.06.2025 12:00	Initial revision.

Vulnerabilities in mbCONNECT24/mymbCONNECT24

Summary

Impact

Affected Product(s)

Vulnerabilities

CVE-2025-3090 8.2

Remediation

Acknowledgments

Revision History