CVE-2026-40828

Vulnerability

An unauthenticated SQL Injection vulnerability exists in the DeleteSysLogEntry function of MB connect line mbCONNECT24 and mymbCONNECT24. The improper neutralization of special elements in a SQL DELETE command allows an attacker to inject arbitrary SQL. Affected versions are not explicitly listed in the available references [1], but the advisory covers multiple SQLi vulnerabilities in these products [1].

Exploitation

A high privileged remote attacker can exploit the SQLi without prior authentication on the affected systems. The attacker must be able to send crafted input to the DeleteSysLogEntry endpoint, which fails to sanitize user-supplied data. The exploitation results in the execution of arbitrary SQL DELETE statements, and due to the nature of the injection, the attacker can also extract data using UNION-based or blind techniques [1].

Impact

Successful exploitation leads to a total loss of confidentiality, as the attacker can read the entire database contents. Additionally, the attacker can delete entries in a non-critical table, resulting in some loss of integrity. The impact is limited to database access; no remote code execution or privilege escalation is described [1].

Mitigation

Specific fix versions and release dates are not disclosed in the available references. As a workaround, restrict network access to the affected products and apply defense-in-depth measures such as input validation. Users should monitor vendor advisories for patches [1].