The ugw-delete-file method in MBS firmware allows a remote attacker with user privileges to delete any local file on the device because the input controlling the file path is not properly validated. This flaw can lead to the loss of configuration information, system logs, or other critical data, compromising the integrity and availability of affected devices. The vulnerability maps to CWE-73, reflecting a path traversal or insufficient input validation weakness.

The flaw affects a broad range of MBS industrial control product families, including Double-A Profibus, Double-A x-link, Double-X CAN, Double-X DALI, Double-X KNX, Double-X LON, Double-X M-Bus, Double-X PROFINET, Double-X x-link, Single-A, Single-X, and various Triple-X configurations such as KNX+DALI, KNX+LON, KNX+M-Bus, PROFINET+DALI, PROFINET+KNX, PROFINET+LON, and PROFINET+M-Bus. No specific firmware version numbers are supplied, so all currently installed releases are potentially vulnerable until a patch is available.

The vulnerability carries a CVSS score of 7.2, indicating a high impact if exploited. The EPSS score is not available, but the lack of a KEV listing suggests that active exploitation has not yet been widely reported. An attacker only needs remote reach and valid user credentials with standard privileges; no higher-level permissions or physical access are required. Deployment of a patch or other mitigations is strongly recommended to prevent potential data loss or service disruption.