CVE-2026-40818

Vulnerability

An unauthenticated SQL Injection vulnerability exists in the _mb24confi_getDevice function of MB connect line mbCONNECT24 and mymbCONNECT24 products. The software fails to properly neutralize special elements in a SQL SELECT command, allowing an attacker to inject arbitrary SQL statements [1]. The vulnerability is present in all affected versions as per the vendor advisory, though exact version ranges are not fully enumerated in the references. The function handles device configuration requests without requiring authentication.

Exploitation

An unauthenticated remote attacker can send specially crafted input to the vulnerable endpoint, likely via HTTP requests that target the _mb24confi_getDevice function. No prior authentication or special network position is required; the attacker only needs network access to the affected service. The injection is triggered by supplying malicious SQL syntax within user-controlled parameters that are directly concatenated into the query without sanitization [1].

Impact

Successful exploitation grants the attacker the ability to read arbitrary data from the underlying database, potentially including sensitive information such as user credentials, configuration details, or other stored data. The advisory states that this results in a total loss of confidentiality [1]. No other impact on integrity or availability is indicated in the available references.

Mitigation

Per the vendor's advisory, a fix is expected to be released; however, no specific fixed version or release date is provided in the reference [1]. Users should monitor the vendor's security advisories for updates. As of the publication date (2026-05-27), no workaround has been disclosed. The advisory does not mention the product being listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.