CVE-2026-40839

Vulnerability

The vulnerability resides in the getComponentScalings function of MB connect line mbCONNECT24 and mymbCONNECT24. The function fails to properly neutralize special elements in a SQL SELECT command, allowing an attacker who has already authenticated (low-privileged) to inject malicious SQL. Affected product versions are detailed in the vendor advisory [1]. The injection occurs in a context where user-controlled input is directly embedded into a SQL query without sanitization.

Exploitation

An attacker must first obtain a valid low-privileged account (e.g., via registration, default credentials, or prior compromise). With authenticated access, the attacker sends crafted input to the getComponentScalings endpoint. The attacker does not require any special network position beyond reachability to the vulnerable web interface; no user interaction from other users is needed. The SQL injection is blind or error-based, enabling step-by-step extraction of data from the database.

Impact

Successful exploitation leads to a total loss of confidentiality, as the attacker can read arbitrary data from the database. This includes potentially sensitive information such as user credentials, configuration details, and operational data. The CIA outcome is primarily confidentiality impact; integrity and availability are not directly affected by the injection itself.

Mitigation

The vendor, MB connect line GmbH, has published advisory VDE-2026-044 [1] detailing the affected versions. Users should upgrade to the fixed versions listed in the advisory. If a patch is not immediately available, network segmentation and strict access controls for low-privileged accounts are recommended. The CVE is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.