The vulnerability arises from the improper neutralisation of special elements used in an operating‑system command within the com_mb24sysapi module. An unauthenticated remote attacker can craft a request that bypasses input filtering, causing the module to execute arbitrary OS commands with the privileges of the running process. If exploited, the attacker can achieve full system compromise, consistent with a remote code execution scenario. This flaw is a variant of the earlier CVE‑2020‑10383 vulnerability, highlighting a repeated weakness in the same code base.

The affected products include Helmholz's myREX24V2 and myREX24V2.virtual as well as MB Connect Line’s mbCONNECT24 and mymbCONNECT24. No specific firmware or software version numbers are supplied, so all current releases of these products are considered vulnerable until vendors confirm a fix.

The CVSS score is 9.8, indicating an extremely severe risk. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, though that does not reduce its potential impact. The likely attack vector is a remote, unauthenticated exploitation through the exposed com_mb24sysapi interface, which can be triggered from any network that can reach the device. Given the high severity and the nature of the flaw, the window of opportunity for attackers is substantial.