nvd
Mbconnectline
Vulnerabilities
52
Known exploited
0
Critical
6
High
22
Top products
Mbconnect2438Mymbconnect2438Mbnet.mini13Mbnet.mini Firmware13Mbdialup2Mbnet2Mbnet Firmware2Mbnet Hw12Mbnet Hw1 Firmware2Mbnet.rokey2Mbnet.rokey Firmware2Mbspider Mdh 9052Mbspider Mdh 905 Firmware2Mbspider Mdh 9062Mbspider Mdh 906 Firmware2Mbspider Mdh 9152Mbspider Mdh 915 Firmware2Mbspider Mdh 9162Mbspider Mdh 916 Firmware2
Top vulnerabilities
CVE-2024-45275The devices contain two hard coded user accounts with hardcoded passwords that allow an unauthenticated remote attacker for full control of the affected devices.
CVE-2024-45274An unauthenticated remote attacker can execute OS commands via UDP on the device due to missing authentication.
CVE-2021-33527In MB connect line mbDIALUP versions <= 3.9R0.0 a remote attacker can send a specifically crafted HTTP request to the service running with NT AUTHORITY\SYSTEM that will not correctly validate the input. This can lead to an arbitrary code execution with the privileges of the service.
CVE-2020-35565An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.2. The login pages bruteforce detection is disabled by default.
CVE-2020-10383An issue was discovered in the MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 software in all versions through 2.5.0. There is an unauthenticated remote code execution in the com_mb24sysapi module.
CVE-2026-33615An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the setinfo endpoint due to improper neutralization of special elements in a SQL UPDATE command. This can result in a total loss of integrity and availability.
CVE-2026-33613Due to the improper neutralisation of special elements used in an OS command, a remote attacker can exploit an RCE vulnerability in the generateSrpArray function, resulting in full system compromise.
This vulnerability can only be attacked if the attacker has some other way to write arbitrary data to the user table.
CVE-2023-0985An Authorization Bypass vulnerability was found in MB Connect Lines mbCONNECT24, mymbCONNECT24 and Helmholz' myREX24 and myREX24.virtual version <= 2.13.3. An authenticated remote user with low privileges can change the password of any user in the same account. This allows to take over the admin user and therefore fully compromise the account.
CVE-2020-10382An issue was discovered in the MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 software in all versions through 2.5.0. There is an authenticated remote code execution in the backup-scheduler.
CVE-2024-45273An unauthenticated local attacker can decrypt the devices config file and therefore compromise the device due to a weak implementation of the encryption used.
CVE-2024-45271An unauthenticated local attacker can gain admin privileges by deploying a config file due to improper input validation.
CVE-2021-33526In MB connect line mbDIALUP versions <= 3.9R0.0 a low privileged local attacker can send a command to the service running with NT AUTHORITY\SYSTEM instructing it to execute a malicous OpenVPN configuration resulting in arbitrary code execution with the privileges of the service.
CVE-2020-35567An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.2. The software uses a secure password for database access, but this password is shared across instances.
CVE-2020-10384An issue was discovered in the MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 software in all versions through 2.6.1. There is a local privilege escalation from the www-data account to the root account.
CVE-2020-12528An issue was discovered in MB connect line mymbCONNECT24 and mbCONNECT24 software in all versions through V2.6.2. Improper use of access validation allows a logged in user to kill web2go sessions in the account he should not have access to.
CVE-2026-33616An unauthenticated remote attacker can exploit an unauthenticated blind SQL Injection vulnerability in the mb24api endpoint due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.
CVE-2026-33614An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getinfo endpoint due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.
CVE-2025-41679An unauthenticated remote attacker could exploit a buffer overflow vulnerability in the device causing a denial of service that affects only the network initializing wizard (Conftool) service.
CVE-2024-45276An unauthenticated remote attacker can get read access to files in the "/tmp" directory due to missing authentication.
CVE-2024-45272An unauthenticated remote attacker can perform a brute-force attack on the credentials of the remote service portal with a high chance of success, resulting in connection lost.
CVE-2021-34580In mymbCONNECT24, mbCONNECT24 <= 2.9.0 an unauthenticated user can enumerate valid backend users by checking what kind of response the server sends for crafted invalid login attempts.
CVE-2021-34575In MB connect line mymbCONNECT24, mbCONNECT24 in versions <= 2.8.0 an unauthenticated user can enumerate valid users by checking what kind of response the server sends.
CVE-2020-35564An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 through 2.6.2. There is an outdated and unused component allowing for malicious user input of active code.
CVE-2020-35558An issue was discovered in MB connect line mymbCONNECT24, mbCONNECT24 and Helmholz myREX24 and myREX24.virtual through 2.11.2. There is an SSRF in the in the MySQL access check, allowing an attacker to scan for open ports and gain some information about possible credentials.
CVE-2025-41678A high privileged remote attacker can alter the configuration database via POST requests due to improper neutralization of special elements used in a SQL statement.