Back to overview

MB connect line: Multiple Vulnerabilities in mbCONNECT24/mymbCONNECT24

VDE-2026-030
Last update
04/02/2026 13:00
Published at
04/02/2026 13:00
Vendor(s)
MB connect line GmbH
External ID
VDE-2026-030
CSAF Document
Download

Summary

Multiple vulnerabilities have been discovered in MB connect line mbCONNECT24/mymbCONNECT24 that could allow RCE, SQLi or information leakage.

Impact

CVE-2026-33613 allows RCE resulting in full system compromise impacting confidentiality, integrity, and availability. CVE-2026-33614 and CVE-2026-33616 allow unauthenticated SQLi resulting in arbitrary read access to the complete database, while CVE-2026-33615 results in arbitrary write access to the user table. Lastly CVE-2026-33617 allows unauthenticated access to some sensitive data.

Affected Product(s)

Model no. Product name Affected versions
MB connect line mbCONNECT24 Firmware <=2.19.4, Firmware 2.19.4
mymbCONNECT24 Firmware 2.19.4, Firmware <=2.19.4

Vulnerabilities

Expand / Collapse all

Published
04/02/2026 11:03
Severity
9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Weakness
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)
Summary

An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the setinfo endpoint due to improper neutralization of special elements in a SQL UPDATE command. This can result in a total loss of integrity and availability.

References
cve.org | nvd.nist.gov

Published
04/02/2026 11:03
Severity
7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Weakness
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)
Summary

An unauthenticated remote attacker can exploit an unauthenticated blind SQL Injection vulnerability in the mb24api endpoint due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.

References
cve.org | nvd.nist.gov

Published
04/02/2026 11:03
Severity
7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Weakness
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)
Summary

An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getinfo endpoint due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.

References
cve.org | nvd.nist.gov

Published
04/02/2026 11:03
Severity
7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Weakness
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)
Summary

Due to the improper neutralisation of special elements used in an OS command, a remote attacker can exploit an RCE vulnerability in the generateSrpArray function, resulting in full system compromise.

This vulnerability can only be attacked if the attacker has some other way to write arbitrary data to the user table.

References
cve.org | nvd.nist.gov

Published
04/02/2026 11:03
Severity
5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Weakness
Exposure of Sensitive System Information to an Unauthorized Control Sphere (CWE-497)
Summary

An unauthenticated remote attacker can access a configuration file containing database credentials. This can result in a some loss of confidentiality, but there is no endpoint exposed to use these credentials.

References
cve.org | nvd.nist.gov

Remediation

Update the mbCONNECT24/mymbCONNECT24 instance to version 2.19.5.

Acknowledgments

MB connect line GmbH thanks the following parties for their efforts:

Revision History

Version Date Summary
1.0.0 04/02/2026 13:00 Initial revision.