VYPR
← All advisories
High severity7.2NVD Advisory· Published May 27, 2026

CVE-2026-40852

CVE-2026-40852

Description

A highly authenticated attacker can alter the config generator injecting a payload into future created configurations. The device is not correctly checking this configuration value before passing it to an system execute leading to code execution. This can result in a total loss of confidentiality, integrity and availability.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A highly authenticated attacker can inject commands via the config generator in mbNET/mbNET.rokey/mbNET.mini, leading to full system compromise.

Vulnerability

A command injection vulnerability exists in the config generator of MB connect line mbNET, mbNET.rokey, and mbNET.mini devices. The device does not properly sanitize configuration values before passing them to a system execute call, allowing a highly authenticated attacker to inject arbitrary payloads into future configurations. Affected versions are detailed in the vendor advisory [1].

Exploitation

An attacker must have high authentication privileges on the device. They can alter the config generator to embed a malicious payload into a configuration value. When the configuration is subsequently processed, the unsanitized value is executed as a system command, resulting in code execution.

Impact

Successful exploitation leads to complete compromise of the device, including total loss of confidentiality, integrity, and availability. The attacker gains full system control.

Mitigation

Apply the firmware updates provided by MB connect line in advisory [1]. No known workarounds are available; updating to the latest firmware is the only mitigation.

References
  1. MB connect line: Multiple vulnerabilities in mbNET/mbNET.rokey/mbNET.mini

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

1

News mentions

0

No linked articles in our index yet.