Description
An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getLiveValues functions sn parameter due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.
Published: 2026-05-27
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An unauthenticated remote attacker can exploit a SQL Injection flaw in the getLiveValues function’s sn parameter due to inadequate neutralization of special characters in a SQL SELECT statement. The vulnerability is identified as CWE‑89 and can lead to a total loss of confidentiality of sensitive data. It requires no authentication and can be triggered over the network. The data exposed can include proprietary system settings and user information. The attack allows the attacker to read arbitrary data from the underlying database.

Affected Systems

Helmholz products myREX24V2 and myREX24V2.virtual running OS version 2.20.0, as well as MB connect line products mbCONNECT24 and mymbCONNECT24 also at version 2.20.0. These devices expose an endpoint that processes the getLiveValues request.

Risk and Exploitability

The CVSS score of 8.7 indicates a high severity issue. The exploit is possible over the network without any prior authentication, implying a high likelihood of attack if the endpoint is reachable. Although the EPSS score is not available, the lack of authentication requirement and the high CVSS suggest that the vulnerability could be actively exploited in the wild. The vulnerability is not listed in the CISA KEV catalog, but the remote nature and high impact warrant immediate mitigation.

Generated by OpenCVE AI on May 27, 2026 at 09:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest vendor patch for myREX24V2, myREX24V2.virtual, mbCONNECT24, and mymbCONNECT24 that addresses the SQL Injection flaw.
  • Restrict external access to the getLiveValues endpoint using firewalls or network segmentation so that only trusted internal systems can reach it.
  • Implement or enforce proper input validation and use parameterized queries to prevent injection attacks if patching is delayed.

Generated by OpenCVE AI on May 27, 2026 at 09:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Helmholz myrex24.virtual
Helmholz myrex24 V2
Mbconnectline
Mbconnectline mbconnect24
Mbconnectline mymbconnect24
Vendors & Products Helmholz myrex24.virtual
Helmholz myrex24 V2
Mbconnectline
Mbconnectline mbconnect24
Mbconnectline mymbconnect24

Wed, 27 May 2026 08:00:00 +0000

Type Values Removed Values Added
Description An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getLiveValues functions sn parameter due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.
Title Unauthenticated SQLi in getLiveValues function
First Time appeared Helmholz
Helmholz myrex24v2
Helmholz myrex24v2.virtual
Helmholz myrex24v2virtual
Mb Connect Line
Mb Connect Line mbconnect24
Mb Connect Line mymbconnect24
Weaknesses CWE-89
CPEs cpe:2.3:a:helmholz:myrex24v2.virtual:*:*:*:*:*:*:*:*
cpe:2.3:a:helmholz:myrex24v2:*:*:*:*:*:*:*:*
cpe:2.3:a:mb_connect_line:mbconnect24:*:*:*:*:*:*:*:*
cpe:2.3:a:mb_connect_line:mymbconnect24:*:*:*:*:*:*:*:*
cpe:2.3:o:helmholz:myrex24v2:2.20.0:*:*:*:*:*:*:*
cpe:2.3:o:helmholz:myrex24v2virtual:2.20.0:*:*:*:*:*:*:*
cpe:2.3:o:mb_connect_line:mbconnect24:2.20.0:*:*:*:*:*:*:*
cpe:2.3:o:mb_connect_line:mymbconnect24:2.20.0:*:*:*:*:*:*:*
Vendors & Products Helmholz
Helmholz myrex24v2
Helmholz myrex24v2.virtual
Helmholz myrex24v2virtual
Mb Connect Line
Mb Connect Line mbconnect24
Mb Connect Line mymbconnect24
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Helmholz Myrex24.virtual Myrex24 V2 Myrex24v2 Myrex24v2.virtual Myrex24v2virtual
Mb Connect Line Mbconnect24 Mymbconnect24
Mbconnectline Mbconnect24 Mymbconnect24
cve-icon MITRE

Status: PUBLISHED

Assigner: CERTVDE

Published:

Updated: 2026-05-27T12:03:23.991Z

Reserved: 2026-04-15T09:33:02.610Z

Link: CVE-2026-40812

cve-icon Vulnrichment

Updated: 2026-05-27T12:03:18.832Z

cve-icon NVD

Status : Received

Published: 2026-05-27T08:16:41.487

Modified: 2026-05-27T08:16:41.487

Link: CVE-2026-40812

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T09:45:30Z

Weaknesses