MB connect line: mbNET.mini vulnerable to OS command injection

VDE-2024-030

Last update

03.07.2024 11:00

Published at

03.07.2024 11:00

Vendor(s)

MB connect line GmbH

External ID

VDE-2024-030

CSAF Document

Download

Summary

There exists a vulnerability in all mbNET.mini devices with firmware <= 2.2.11 that allows an authenticated attacker to execute arbitrary system commands via GET requests.
Update: 03.07.2024 3:30 pm
In section Reported by Sebastian Dietz (CyberDanube) was added.

Impact

See CVE description.

Affected Product(s)

Model no.	Product name	Affected versions
	mbNET.mini <=2.2.11	mbNET.mini <=2.2.11
	mbNET.mini <=2.2.11	mbNET.mini <=2.2.11

Vulnerabilities

Expand / Collapse all

Published

22.09.2025 14:58

Severity

7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Weakness

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)

Summary

A high privileged remote attacker can execute arbitrary system commands via GET requests due to improper neutralization of special elements used in an OS command.

References

cve.org | nvd.nist.gov

Mitigation

As this is an authenticated exploit, you can mitigate it by making sure that no malicious actor can login to a vulnerable device.

Remediation

Update to latest version: 2.2.13

Revision History

Version	Date	Summary
1	03.07.2024 11:00	Initial revision.

MB connect line: mbNET.mini vulnerable to OS command injection

Summary

Impact

Affected Product(s)

Vulnerabilities

CVE-2024-5672 7.2

Mitigation

Remediation

Revision History