Description
A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the admin.mbnetj.php files UpdateParam function due to improper neutralization of special elements in a SQL UPDATE command allowing for reading the whole database and changing values in a non critical table. This can result in a total loss of confidentiality and some loss of integrity.
Published: 2026-05-27
Score: 7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a SQL injection flaw in the UpdateParam function of the admin.mbnetj.php module, caused by inadequate neutralization of special characters in a SQL UPDATE statement. An attacker with high privileged access can read the entire database and modify values in a non‑critical table, resulting in a complete loss of confidential data and partial loss of data integrity.

Affected Systems

Affected products include Helmholz myREX24V2 and myREX24V2.virtual as well as MB connect line mbCONNECT24 and mymbCONNECT24, all running firmware version 2.20.0 as indicated by the CPE strings.

Risk and Exploitability

The CVSS score of 7 denotes high severity. With no EPSS score available, the likelihood of exploitation cannot be quantified, and the vulnerability is not listed in the CISA KEV catalog. The flaw is exploitable by a high‑privileged remote attacker, likely through the administrative interface, granting access to the entire database.

Generated by OpenCVE AI on May 27, 2026 at 10:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Helmholz and MB connect line products to the latest available releases, ensuring any vendor‑issued fixes for the UpdateParam function are installed.
  • Restrict access to the admin interface by implementing strong authentication, enforcing least privilege, and limiting management traffic to trusted networks or a VPN.
  • Refactor the UpdateParam code to use parameterized queries or prepared statements, and sanitize all input before inclusion in SQL statements.
  • If a vendor workaround is available, apply it as a temporary measure until a full patch is released; otherwise, disable write operations to the non‑critical table from external input sources.

Generated by OpenCVE AI on May 27, 2026 at 10:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 09:00:00 +0000

Type Values Removed Values Added
Description A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the admin.mbnetj.php files UpdateParam function due to improper neutralization of special elements in a SQL UPDATE command allowing for reading the whole database and changing values in a non critical table. This can result in a total loss of confidentiality and some loss of integrity.
Title Authenticated SQLi in UpdateParam function
First Time appeared Helmholz
Helmholz myrex24v2
Helmholz myrex24v2.virtual
Helmholz myrex24v2virtual
Mb Connect Line
Mb Connect Line mbconnect24
Mb Connect Line mymbconnect24
Weaknesses CWE-89
CPEs cpe:2.3:a:helmholz:myrex24v2.virtual:*:*:*:*:*:*:*:*
cpe:2.3:a:helmholz:myrex24v2:*:*:*:*:*:*:*:*
cpe:2.3:a:mb_connect_line:mbconnect24:*:*:*:*:*:*:*:*
cpe:2.3:a:mb_connect_line:mymbconnect24:*:*:*:*:*:*:*:*
cpe:2.3:o:helmholz:myrex24v2:2.20.0:*:*:*:*:*:*:*
cpe:2.3:o:helmholz:myrex24v2virtual:2.20.0:*:*:*:*:*:*:*
cpe:2.3:o:mb_connect_line:mbconnect24:2.20.0:*:*:*:*:*:*:*
cpe:2.3:o:mb_connect_line:mymbconnect24:2.20.0:*:*:*:*:*:*:*
Vendors & Products Helmholz
Helmholz myrex24v2
Helmholz myrex24v2.virtual
Helmholz myrex24v2virtual
Mb Connect Line
Mb Connect Line mbconnect24
Mb Connect Line mymbconnect24
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Helmholz Myrex24v2 Myrex24v2.virtual Myrex24v2virtual
Mb Connect Line Mbconnect24 Mymbconnect24
cve-icon MITRE

Status: PUBLISHED

Assigner: CERTVDE

Published:

Updated: 2026-05-27T11:59:26.164Z

Reserved: 2026-04-15T09:33:02.612Z

Link: CVE-2026-40830

cve-icon Vulnrichment

Updated: 2026-05-27T11:59:21.579Z

cve-icon NVD

Status : Deferred

Published: 2026-05-27T09:16:28.467

Modified: 2026-05-27T14:53:22.863

Link: CVE-2026-40830

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T11:15:18Z

Weaknesses