Description
Due to the improper neutralisation of special elements used in an OS command, a remote attacker can exploit an RCE vulnerability in the generateSrpArray function, resulting in full system compromise.
This vulnerability can only be attacked if the attacker has some other way to write arbitrary data to the user table.
Published: 2026-04-02
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The generateSrpArray function contains an OS command injection flaw caused by improper neutralization of special elements. An attacker who can supply input to this function can execute arbitrary operating‑system commands, resulting in full compromise of the affected system.

Affected Systems

Vendor products MB connect line:mbCONNECT24 and MB connect line:mymbCONNECT24 are affected. No specific version information is listed, so all current releases should be assumed vulnerable until a vendor update is issued.

Risk and Exploitability

The CVSS score of 7.2 indicates high severity, but the exploit probability (EPSS) is not available and the vulnerability is not currently listed in the CISA KEV catalog. The likely attack vector requires the attacker to first obtain a capability to write arbitrary data to the user table; once that is achieved, the OS command injection can be triggered remotely over the network. Full credential compromise or data exfiltration is possible if the attacker can execute desired commands.

Generated by OpenCVE AI on April 2, 2026 at 10:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor’s patch as soon as it is released.
  • Restrict or monitor write access to the user table to prevent the prerequisite data injection.
  • Validate and sanitize all inputs to generateSrpArray if patch is not yet available.
  • Monitor system logs for unexpected command execution or abnormal system activity.
  • Conduct regular vulnerability scans and penetration testing to identify any related weaknesses.

Generated by OpenCVE AI on April 2, 2026 at 10:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Mbconnectline
Mbconnectline mbconnect24
Mbconnectline mymbconnect24
Vendors & Products Mbconnectline
Mbconnectline mbconnect24
Mbconnectline mymbconnect24

Thu, 02 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 02 Apr 2026 09:30:00 +0000

Type Values Removed Values Added
Description Due to the improper neutralisation of special elements used in an OS command, a remote attacker can exploit an RCE vulnerability in the generateSrpArray function, resulting in full system compromise. This vulnerability can only be attacked if the attacker has some other way to write arbitrary data to the user table.
Title MB connect line mbCONNECT24 vulnerable to RCE in generateSrpArray
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Mbconnectline Mbconnect24 Mymbconnect24
cve-icon MITRE

Status: PUBLISHED

Assigner: CERTVDE

Published:

Updated: 2026-04-02T13:42:38.209Z

Reserved: 2026-03-23T13:15:49.381Z

Link: CVE-2026-33613

cve-icon Vulnrichment

Updated: 2026-04-02T13:42:18.445Z

cve-icon NVD

Status : Received

Published: 2026-04-02T10:16:15.727

Modified: 2026-04-02T10:16:15.727

Link: CVE-2026-33613

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:21:39Z

Weaknesses