Summary
The data24 service that is bundled with every installation of mbCONNECT24/mymbCONNECT24 has two
serious flaws in core components. These combined can lead to a complete loss of confidentiality, integrity
and availability.
Impact
CVE-2024-23943: A total loss of confidentiality and integrity, for individual devices or the whole service, is
possible.
CVE-2024-23942: An attacker in possession of the device's configuration file can impersonate the real
device. This also allows to prevent the real device from connecting successful.
Affected Product(s)
| Model no. | Product name | Affected versions |
|---|---|---|
| Firmware <8.2.0 | mbNET.rokey, mbNET | |
| mbCONNECT24 | Firmware <2.16.2 | |
| mymbCONNECT24 | Firmware <2.16.2 |
Vulnerabilities
Expand / Collapse allAn unauthenticated remote attacker can gain access to the cloud API due to a lack of authentication for a critical function in the affected devices. Availability is not affected.
A local user may find a configuration file on the client workstation with unencrypted sensitive data. This allows an attacker to impersonate the device or prevent the device from accessing the cloud portal which leads to a DoS.
Mitigation
CVE-2024-23942: If the device's serial number is known to mbCONNECT24/mymbCONNECT24 before the
downloadable configuration is created, that configuration will be encrypted allowing only the correct device to
decrypt it.
Remediation
Update to latest version: 2.16.2
CVE-2024-23943: This fix does not apply to mbNET/mbNET.rokey devices with firmware 8.0.0 - 8.1.3. If you are using a device with this firmware, please update it to >= 8.2.0.
Revision History
| Version | Date | Summary |
|---|---|---|
| 1.0.0 | 18.03.2025 12:00 | Initial revision. |
| 1.0.1 | 31.03.2025 15:00 | Update: Fixed Document reference CSAF |
| 1.0.2 | 10.04.2025 15:00 | Update: Fixed document reference URL |
| 1.0.3 | 14.05.2025 15:00 | Fix: added distribution |
| 1.1.3 | 27.08.2025 12:00 | Update: CWE form CVE-2024-23942, Revision History |