CVE-2026-40851
Description
A local attacker can perform a confusion attack on the cfgparser via a specially crafted file on an USB stick leading to code execution. This can result in a total loss of confidentiality, integrity and availability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A local attacker with physical USB access can trigger a confusion attack on the cfgparser of MB connect line mbNET/mbNET.rokey/mbNET.mini, leading to arbitrary code execution and full system compromise.
Vulnerability
A confusion attack exists in the cfgparser component of MB connect line mbNET, mbNET.rokey, and mbNET.mini devices. The vulnerability is triggered when a specially crafted file on a USB stick is parsed by the configuration parser. The affected firmware versions are not explicitly enumerated in the available references, but all models listed in the advisory are considered affected. The bug resides in the parser's handling of malformed input, leading to a code execution path during the configuration loading process [1].
Exploitation
The attacker must have physical access to the device and be able to insert a USB storage device. No authentication is required for this attack vector, as the USB port is typically accessible and the device automatically processes configuration files from external media. The sequence involves: (1) crafting a malicious file that exploits the parser confusion, (2) placing it on a USB stick, (3) inserting the USB stick into the target device, and (4) triggering the parsing (e.g., by a reboot or automatic detection). The vulnerability is classified as command injection, indicating the attacker supplies operating system commands within the crafted file [1].
Impact
Successful exploitation allows the attacker to execute arbitrary commands with high privileges (likely root), achieving a total loss of confidentiality, integrity, and availability. The attacker gains full system compromise, including the ability to read sensitive data, modify device configuration, install persistent malware, or render the device inoperable [1].
Mitigation
As of the publication date (2026-05-27), no patched firmware version has been released by MB connect line GmbH. The vendor has acknowledged the issue and is working on a fix. No workaround is provided in the available references. Users are advised to restrict physical access to the USB ports and monitor the vendor's advisory for an update. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) as of the advisory date [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
1News mentions
0No linked articles in our index yet.