CVE-2026-40823

Vulnerability

An unauthenticated SQL Injection vulnerability exists in the DevSerialReset function of MB connect line mbCONNECT24 and mymbCONNECT24 due to improper neutralization of special elements used in an SQL UPDATE command [1]. The affected product versions are not explicitly enumerated in the available reference but are implied to be up to the date of the advisory (2026-05-27). A high privileged remote attacker can exploit this to execute arbitrary SQL statements [1].

Exploitation

The attacker requires high privileged remote access to the system. The vulnerability is triggered by sending a crafted request to the DevSerialReset function that includes malicious SQL syntax within the input parameters. No additional authentication is needed beyond the high privilege session, and no user interaction is required. The attacker can then issue arbitrary SQL commands against the backend database [1].

Impact

Successful exploitation results in a total loss of confidentiality, as the attacker can read the entire database. Additionally, the attacker can change values in a non-critical table, leading to some loss of integrity. The exact privilege level achieved is the same as the database user used by the application, which may have write access to certain tables [1].

Mitigation

As of the advisory publication date (2026-05-27), no patch or fixed version has been disclosed. The vendor MB connect line GmbH has not yet released a security update. No workaround is provided in the available references [1]. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.