Back to overview

MB connect line: Multiple vulnerabilities in mbNET/mbNET.rokey/mbNET.mini

VDE-2026-054
Last update
05/27/2026 13:00
Published at
05/27/2026 13:00
Vendor(s)
MB connect line GmbH
External ID
VDE-2026-054
CSAF Document
Download

Summary

Two command injection vulnerabilities have been discovered in MB connect line mbNET/mbNET.rokey/mbNET.mini.

Impact

The vulnerabilities allow for command injection in mbNET/mbNET.rokey/mbNET.mini with varying prerequisites resulting in full system compromise.

Affected Product(s)

Model no. Product name Affected versions
mbNET.mini Firmware <=3.0.2, Firmware 3.0.2
mbNET/mbNET.rokey Firmware 8.4.4, Firmware <=8.4.4

Vulnerabilities

Expand / Collapse all

Published
05/27/2026 10:10
Severity
8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Weakness
Improper Validation of Specified Type of Input (CWE-1287)
Summary

A low privileged local attacker can perform a confusion attack on the cfgparser via a specially crafted file on an USB stick leading to code execution. This can result in a total loss of confidentiality, integrity and availability.

References
cve.org | nvd.nist.gov

Published
05/27/2026 10:10
Severity
7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Weakness
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)
Summary

A high privileged attacker can alter the config generator injecting a payload into future created configurations. The device is not correctly checking this configuration value before passing it to an system execute leading to code execution. This can result in a total loss of confidentiality, integrity and availability.

References
cve.org | nvd.nist.gov

Remediation

Update:

  • mbNET/mbNET.rokey: 8.4.5
  • mbNET.mini: 3.0.3

Acknowledgments

MB connect line GmbH thanks the following parties for their efforts:

Revision History

Version Date Summary
1.0.0 05/27/2026 13:00 Initial revision.