CVE-2026-40838

Vulnerability

A SQL injection vulnerability exists in the getDeviceScalings function of MB connect line's mbCONNECT24 and mymbCONNECT24 products [1]. The flaw is due to improper neutralization of special elements used in a SQL SELECT command. Unauthenticated remote attackers can exploit this issue. The advisory from CERT@VDE (VDE-2026-044) lists multiple SQLi vulnerabilities; this specific CVE covers the getDeviceScalings vector [1]. The affected versions are not enumerated in the available references, but the vendor advisory covers the product lines in general.

Exploitation

An attacker needs network access to the vulnerable endpoint and no prior authentication. The attack does not require user interaction. The advisory confirms the attack vector is over the network and the complexity is low, as the vulnerable function is reachable without special preconditions [1]. Exact steps have not been detailed in public sources, but the injection occurs in the getDeviceScalings function, presumably by sending crafted input to the relevant parameter.

Impact

Successful exploitation results in unauthorized read access to the underlying database. The CVSS v3 base score of 6.5 (Medium) and the description indicate a total loss of confidentiality [1]. The attacker can extract sensitive data stored in the database, potentially including credentials or configuration information, but no write access or code execution is described.

Mitigation

No fixed version or official patch date has been disclosed in the available references. The advisory (VDE-2026-044) was published on 2026-05-27, and no workaround is documented. Users should monitor the vendor vendor advisory for updated software releases or apply general network segmentation and input validation until a patch is available [1].