VDE-2025-065 | CERT@VDE

2025-07-31 12:00 (CEST) VDE-2025-065

MB connect line: Sandbox escape in mbNET's LUA interpreter

Share: Email | Twitter

ID

VDE-2025-065

Published

2025-07-31 12:00 (CEST)

Last update

2025-07-28 09:17 (CEST)

Vendor(s)

MB connect line GmbH

Product(s)

Article No°	Product Name	Affected Version(s)
	mbNET HW1	<= 5.1.11
	mbNET/mbNET.rokey	< 7.3.0

Summary

An authenticated remote attacker can exploit an undocumented method to escape the LUA sandbox in mbNET devices, enabling the execution of arbitrary operating system commands and leading to full system compromise.

CVE ID

CVE-2025-41688

Last Update:

1. August 2025 11:48

Severity

7.2 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)

Weakness

Improper Isolation or Compartmentalization (CWE-653)

Summary

A high privileged remote attacker can execute arbitrary OS commands using an undocumented method allowing to escape the implemented LUA sandbox.

Details

cert.vde.com

Impact

This vulnerability allows an authenticated remote attacker to fully compromise the system by executing arbitrary OS commands.

Solution

Remediation

Update mbNET/mbNET.rokey to at least version 7.3.0
Note: mbNET HW1 is EOL and will not receive any further updates.

Reported by

CERT@VDE coordinated with MB connect line GmbH

Marcel Rick-Cen for reporting