VDE-2025-034 | CERT@VDE

2025-06-24 10:00 (CEST) VDE-2025-034

MB connect line: Vulnerabilities in mbCONNECT24/mymbCONNECT24

Share: Email | Twitter

ID

VDE-2025-034

Published

2025-06-24 10:00 (CEST)

Last update

2025-06-16 11:46 (CEST)

Vendor(s)

MB connect line GmbH

Product(s)

Article No°	Product Name	Affected Version(s)
	mbCONNECT24	< 2.18.0
	mymbCONNECT24	< 2.18.0

Summary

The mb24api endpoint reachable when connected via VPN is missing authentication for sensitive functions. This can lead to information disclosure of user- and device names and to DoS.

CVE ID

CVE-2025-3090

Last Update:

June 16, 2025, 11:44 a.m.

Severity

8.2 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H)

Weakness

Missing Authentication for Critical Function (CWE-306)

Summary

An unauthenticated remote attacker can obtain limited sensitive information and/or DoS the device due to missing authentication for critical function.

Details

certvde.com

Impact

Some limited sensitive data can be accessed and a DoS can be performed targeting a specific user/device.

Solution

Remediation

Update to latest version: 2.18.0

Reported by

CERT@VDE coordinated with MB connect line