Share: Email | Twitter

ID

VDE-2025-058

Published

2025-07-21 12:00 (CEST)

Last update

2025-07-18 10:20 (CEST)

Vendor(s)

MB connect line GmbH

Product(s)

Article No° Product Name Affected Version(s)
mbNET.mini < 2.3.3

Summary

Multiple vulnerabilities in all mbNET.mini devices with firmware <= 2.3.2 that allow an attacker to gain full control over the device.

Vulnerabilities



CVE-2025-41675
7.2
Last Update
18. Juli 2025 10:05
Severity
7.2 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)
Weakness
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)
Summary

A high privileged remote attacker can execute arbitrary system commands via GET requests in the cloud server communication script due to improper neutralization of special elements used in an OS command.

Details
cert.vde.com 
CVE-2025-41674
7.2
Last Update
18. Juli 2025 10:04
Severity
7.2 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)
Weakness
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)
Summary

A high privileged remote attacker can execute arbitrary system commands via POST requests in the diagnostic action due to improper neutralization of special elements used in an OS command.

Details
cert.vde.com 
CVE-2025-41673
7.2
Last Update
18. Juli 2025 10:03
Severity
7.2 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)
Weakness
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)
Summary

A high privileged remote attacker can execute arbitrary system commands via POST requests in the send_sms action due to improper neutralization of special elements used in an OS command.

Details
cert.vde.com 
CVE-2025-41678
6.5
Last Update
18. Juli 2025 10:09
Severity
6.5 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H)
Weakness
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)
Summary

A high privileged remote attacker can alter the configuration database via POST requests due to improper neutralization of special elements used in a SQL statement.

Details
cert.vde.com 
CVE-2025-41679
5.3
Last Update
18. Juli 2025 10:09
Severity
5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
Weakness
Out-of-bounds Write (CWE-787)
Summary

An unauthenticated remote attacker could exploit a buffer overflow vulnerability in the device causing a denial of service that affects only the network initializing wizard (Conftool) service.

Details
cert.vde.com 
CVE-2025-41677
4.9
Last Update
18. Juli 2025 10:07
Severity
4.9 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H)
Weakness
Uncontrolled Resource Consumption (CWE-400)
Summary

A high privileged remote attacker can exhaust critical system resources by sending specifically crafted POST requests to the send-mail action in fast succession.

Details
cert.vde.com 
CVE-2025-41676
4.9
Last Update
18. Juli 2025 10:06
Severity
4.9 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H)
Weakness
Uncontrolled Resource Consumption (CWE-400)
Summary

A high privileged remote attacker can exhaust critical system resources by sending specifically crafted POST requests to the send-sms action in fast succession.

Details
cert.vde.com 
CVE-2025-41681
4.8
Last Update
18. Juli 2025 10:11
Severity
4.8 (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N)
Weakness
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)
Summary

A high privileged remote attacker can gain persistent XSS via POST requests due to improper neutralization of special elements used to create dynamic content.

Details
cert.vde.com 

Impact

Full control over the device is possible in various ways. For details see CVE description.

Solution

Remediation

Update to latest version: 2.3.3

Reported by

CERT@VDE coordinated with MB connect line GmbH.

Sebastian Dietz from CyberDanube for coordination.

F. Bruckmoser, M. Eder, J. Heigl, M. Heudorn, G. Hofmarcher, M. Kadlec, M. Pristauz-Telsnigg, S. Resch, P. Schweinzer, M. Gschiel from St. Poelten UAS for reporting.