CVE-2026-40825

Vulnerability

The vulnerability is an unauthenticated SQL injection in the devices parameter of the accountstatus view in MB connect line mbCONNECT24 and mymbCONNECT24 [1]. Improper neutralization of special elements in a SQL UPDATE command allows an attacker to inject arbitrary SQL. The exact affected versions are not specified in the available references, but the product line is affected.

Exploitation

An attacker with high privileges (e.g., administrative access) and network connectivity can exploit this by sending a crafted request to the accountstatus view with a malicious devices parameter. The SQL injection occurs in an UPDATE statement, enabling the attacker to execute arbitrary SQL commands. No authentication is required for the vulnerable endpoint, but the attacker must have high privileges to reach it according to the description.

Impact

Successful exploitation allows the attacker to read the entire database, leading to total loss of confidentiality. Additionally, the attacker can modify values in a non-critical table, resulting in some loss of integrity. The impact does not extend to critical tables or full system compromise.

Mitigation

No fix or workaround is disclosed in the available references [1]. Users are advised to monitor vendor advisories for updates. The product may be end-of-life or pending a patch; no further information is provided.