CVE-2026-40821

Vulnerability

An SQL injection vulnerability exists in the getAccountByID function of MB connect line's mbCONNECT24 and mymbCONNECT24 products. The function fails to properly neutralize special elements in a SQL SELECT command, allowing an attacker to inject arbitrary SQL. The vulnerability is exploitable by a high-privileged remote attacker, and the function is accessible without authentication. Affected versions are not explicitly listed in the advisory [1].

Exploitation

An attacker with high privileges (e.g., administrative access) and network connectivity can send crafted input to the getAccountByID function. The lack of input sanitization allows the attacker to manipulate the SQL query, potentially extracting data from the database. The exact exploitation steps are not detailed in the available reference.

Impact

Successful exploitation leads to a total loss of confidentiality. The attacker can read arbitrary data from the database, including sensitive information such as user credentials or configuration details. No impact on integrity or availability is described.

Mitigation

As of the advisory publication date (2026-05-27), no fixed version or workaround has been disclosed by the vendor [1]. Users should monitor MB connect line's official channels for updates. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.