Description
An high privileged remote attacker can access a hidden configuration method, that should not be accessible by any user, to modify critical program parameters. This can result in a total loss of confidentiality, integrity and availability.
Published: 2026-06-23
Score: 8.6 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An authenticated attacker with high privileges can call a hidden configuration method that is not intended for user access. This flaw allows the attacker to change critical program parameters, leading to a complete loss of confidentiality, integrity, and availability as described in the advisory. The weakness falls under CWE‑425, a security policy violation where access controls are not properly enforced.

Affected Systems

The vulnerability impacts MB Connect Line products, specifically mbCONNECT24 and mymbCONNECT24, version 2.20.1. Users of these versions should verify that they are running this software, as the hidden configuration method is present in the affected releases.

Risk and Exploitability

The CVSS score of 8.6 indicates a high severity impact. The EPSS score is not available, so the exploitation probability is unknown, but the lack of a KEV listing suggests it is not actively exploited in the wild. The attack vector is inferred to be remote, requiring an attacker already authenticated with high privileges, which is plausible in a breached or manipulation scenario. Given the potential for complete disruption, the risk remains high until the flaw is remediated.

Generated by OpenCVE AI on June 23, 2026 at 09:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update mbCONNECT24 and mymbCONNECT24 to the latest patch that removes the hidden configuration method
  • Configure network firewalls or access control lists to restrict connection to the configuration endpoint to trusted internal IP addresses
  • Apply the principle of least privilege: disable or remove any unused high‑privileged accounts and enforce strict role‑based access controls on configuration interfaces

Generated by OpenCVE AI on June 23, 2026 at 09:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Jun 2026 08:15:00 +0000

Type Values Removed Values Added
Description An high privileged remote attacker can access a hidden configuration method, that should not be accessible by any user, to modify critical program parameters. This can result in a total loss of confidentiality, integrity and availability.
Title Authenticated unintended access to critical program parameters
First Time appeared Mb Connect Line
Mb Connect Line mbconnect24
Mb Connect Line mymbconnect24
Weaknesses CWE-425
CPEs cpe:2.3:a:mb_connect_line:mbconnect24:*:*:*:*:*:*:*:*
cpe:2.3:a:mb_connect_line:mymbconnect24:*:*:*:*:*:*:*:*
cpe:2.3:o:mb_connect_line:mbconnect24:2.20.1:*:*:*:*:*:*:*
cpe:2.3:o:mb_connect_line:mymbconnect24:2.20.1:*:*:*:*:*:*:*
Vendors & Products Mb Connect Line
Mb Connect Line mbconnect24
Mb Connect Line mymbconnect24
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Mb Connect Line Mbconnect24 Mymbconnect24
cve-icon MITRE

Status: PUBLISHED

Assigner: CERTVDE

Published:

Updated: 2026-06-23T07:34:10.089Z

Reserved: 2026-06-01T08:47:49.983Z

Link: CVE-2026-10521

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T09:30:06Z

Weaknesses
  • CWE-425

    Direct Request ('Forced Browsing')