CVE-2026-40817

Vulnerability

An unauthenticated SQL injection vulnerability exists in the getAlarmProfiles function of MB connect line's mbCONNECT24 and mymbCONNECT24 products [1]. The function fails to properly neutralize special elements in a SQL SELECT command, allowing an attacker to inject arbitrary SQL statements. The exact affected version ranges are not specified in the available reference, but the advisory indicates multiple SQLi vulnerabilities across these products [1].

Exploitation

An unauthenticated remote attacker can exploit this vulnerability by sending a crafted HTTP request to the getAlarmProfiles endpoint with malicious SQL payloads in the input parameters [1]. No authentication or prior access is required. The attacker only needs network connectivity to the affected service.

Impact

Successful exploitation results in a total loss of confidentiality, as the attacker can read arbitrary data from the underlying database [1]. The impact is limited to information disclosure; no integrity or availability compromise is described.

Mitigation

No mitigation details, including patched versions or workarounds, have been disclosed in the available reference [1]. Users are advised to monitor the vendor's security advisories for updates.