CVE-2026-32968

CRITICAL

mbCONNECT24 < 2.19.3 - Unauthenticated RCE in com_mb24sysapi

Title source: manual

Description

Due to the improper neutralisation of special elements used in an OS command, an unauthenticated remote attacker can exploit an RCE vulnerability in the com_mb24sysapi module, resulting in full system compromise. This vulnerability is a variant attack for CVE-2020-10383.

References (2)

Core 2

Core References

https://certvde.com/de/advisories/VDE-2026-024

https://certvde.com/de/advisories/VDE-2026-025

Scores

CVSS v3 9.8

EPSS 0.0055

EPSS Percentile 41.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-78

Status published

Products (4)

Helmholz/myREX24V2 0.0.0 - 2.19.3

Helmholz/myREX24V2.virtual 0.0.0 - 2.19.3

MB connect line/MB connect line mbCONNECT24 0.0.0 - 2.19.3

MB connect line/mymbCONNECT24 0.0.0 - 2.19.3

Published Mar 23, 2026

Tracked Since Mar 23, 2026