Description
An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the ssoabstractservice due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.
Published: 2026-05-27
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an unauthenticated SQL injection in the ssoabstractservice. Because the service does not properly neutralize special characters in a SQL SELECT command, a remote attacker can inject arbitrary SQL code. The lack of authentication requirements allows anyone to send malicious requests, resulting in a total loss of confidentiality as an attacker can read any data stored in the database.

Affected Systems

The issue affects Helmholz myREX24V2 and its virtual variant, as well as MB connect line mbCONNECT24 and mymbCONNECT24. The impacted versions are inferred from the CPE entries, which reference version 2.20.0; the original description does not specify the fixed version.

Risk and Exploitability

The flaw carries a CVSS score of 8.7, indicating a high severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Exploitation is straightforward: a remote attacker can send a crafted request to the ssoabstractservice endpoint over the network without authentication and embed malicious SQL. Successful injection would grant the attacker full read access to the database. The likely attack vector is internet-facing connections to the service. The absence of authentication and the high CVSS score underscore the critical nature of this vulnerability.

Generated by OpenCVE AI on May 27, 2026 at 09:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑provided patch or upgrade to a version where input sanitization in the ssoabstractservice has been fixed.
  • If a patch is not yet available, limit access to the ssoabstractservice endpoint to trusted networks and enforce strict input validation using parameterized queries or prepared statements.
  • Enable a web‑application firewall rule set that blocks typical SQL injection payloads targeting the ssoabstractservice.
  • Monitor database query logs for anomalous activity and investigate any unauthorized data retrieval attempts.

Generated by OpenCVE AI on May 27, 2026 at 09:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Helmholz myrex24.virtual
Helmholz myrex24 V2
Mbconnectline
Mbconnectline mbconnect24
Mbconnectline mymbconnect24
Vendors & Products Helmholz myrex24.virtual
Helmholz myrex24 V2
Mbconnectline
Mbconnectline mbconnect24
Mbconnectline mymbconnect24

Wed, 27 May 2026 08:00:00 +0000

Type Values Removed Values Added
Description An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the ssoabstractservice due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.
Title Unauthenticated SQLi in ssoabstractservice
First Time appeared Helmholz
Helmholz myrex24v2
Helmholz myrex24v2.virtual
Helmholz myrex24v2virtual
Mb Connect Line
Mb Connect Line mbconnect24
Mb Connect Line mymbconnect24
Weaknesses CWE-89
CPEs cpe:2.3:a:helmholz:myrex24v2.virtual:*:*:*:*:*:*:*:*
cpe:2.3:a:helmholz:myrex24v2:*:*:*:*:*:*:*:*
cpe:2.3:a:mb_connect_line:mbconnect24:*:*:*:*:*:*:*:*
cpe:2.3:a:mb_connect_line:mymbconnect24:*:*:*:*:*:*:*:*
cpe:2.3:o:helmholz:myrex24v2:2.20.0:*:*:*:*:*:*:*
cpe:2.3:o:helmholz:myrex24v2virtual:2.20.0:*:*:*:*:*:*:*
cpe:2.3:o:mb_connect_line:mbconnect24:2.20.0:*:*:*:*:*:*:*
cpe:2.3:o:mb_connect_line:mymbconnect24:2.20.0:*:*:*:*:*:*:*
Vendors & Products Helmholz
Helmholz myrex24v2
Helmholz myrex24v2.virtual
Helmholz myrex24v2virtual
Mb Connect Line
Mb Connect Line mbconnect24
Mb Connect Line mymbconnect24
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Helmholz Myrex24.virtual Myrex24 V2 Myrex24v2 Myrex24v2.virtual Myrex24v2virtual
Mb Connect Line Mbconnect24 Mymbconnect24
Mbconnectline Mbconnect24 Mymbconnect24
cve-icon MITRE

Status: PUBLISHED

Assigner: CERTVDE

Published:

Updated: 2026-05-27T12:03:38.795Z

Reserved: 2026-04-15T09:33:02.610Z

Link: CVE-2026-40811

cve-icon Vulnrichment

Updated: 2026-05-27T12:03:33.135Z

cve-icon NVD

Status : Received

Published: 2026-05-27T08:16:41.343

Modified: 2026-05-27T08:16:41.343

Link: CVE-2026-40811

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T10:00:16Z

Weaknesses