Refine your search
26 vulnerabilities found for by MBS
CVE-2026-35085 (GCVE-0-2026-35085)
Vulnerability from cvelistv5
Published
2026-06-03 10:42
Modified
2026-06-09 10:29
Severity ?
8.7 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
VLAI Severity ?
EPSS score ?
CWE
- CWE-121 - Stack-based Buffer Overflow
Summary
A remote attacker with user privileges can exploit a stack buffer overflow in gdv-serverconfig to gain full system access as root.
References
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| MBS | Single-A |
Version: V1_0_0_0 < V6_0_0_7 |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-35085",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-03T12:38:10.423532Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-03T12:38:18.598Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Single-A",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Double-A Profibus",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Double-A x-link",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Single-X",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Double-X CAN",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Double-X DALI",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Double-X KNX",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Double-X LON",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Double-X M-Bus",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Double-X PROFINET",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Double-X x-link",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Triple-X KNX+DALI",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Triple-X KNX+LON",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Triple-X KNX+M-Bus",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Triple-X PROFINET+DALI",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Triple-X PROFINET+KNX",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Triple-X PROFINET+LON",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Triple-X PROFINET+M-Bus",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:single_a_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:double_a_profibus_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:double_a_x_link_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:single_x_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:double_x_can_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:double_x_dali_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:double_x_knx_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:double_x_lon_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:double_x_m_bus_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:double_x_profinet_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:double_x_x_link_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:triple_x_knx_dali_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:triple_x_knx_lon_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:triple_x_knx_m_bus_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:triple_x_profinet_dali_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:triple_x_profinet_knx_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:triple_x_profinet_lon_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:triple_x_profinet_m_bus_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Damian Pfammatter from Armasuisse Cyber-Defence campus."
},
{
"lang": "en",
"type": "finder",
"value": "Daniel Hulliger from Armasuisse Cyber-Defence campus."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA remote attacker with user privileges can exploit a stack buffer overflow in gdv-serverconfig to gain full system access as root.\u003c/p\u003e"
}
],
"value": "A remote attacker with user privileges can exploit a stack buffer overflow in gdv-serverconfig to gain full system access as root."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-121",
"description": "CWE-121 Stack-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T10:29:31.629Z",
"orgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
"shortName": "CERTVDE"
},
"references": [
{
"url": "https://www.certvde.com/en/advisories/VDE-2026-039/"
}
],
"source": {
"advisory": "VDE-2026-039",
"defect": [
"CERT@VDE#642009"
],
"discovery": "UNKNOWN"
},
"title": "Stack buffer overflow in method gdv-serverconfig",
"x_generator": {
"engine": "Vulnogram 0.4.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
"assignerShortName": "CERTVDE",
"cveId": "CVE-2026-35085",
"datePublished": "2026-06-03T10:42:22.835Z",
"dateReserved": "2026-04-01T08:28:27.142Z",
"dateUpdated": "2026-06-09T10:29:31.629Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-35084 (GCVE-0-2026-35084)
Vulnerability from cvelistv5
Published
2026-06-03 10:42
Modified
2026-06-09 10:31
Severity ?
8.7 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
VLAI Severity ?
EPSS score ?
CWE
- CWE-121 - Stack-based Buffer Overflow
Summary
A remote attacker with user privileges can exploit a stack buffer overflow in dali-devconfig to gain full system access as root.
References
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| MBS | Single-A |
Version: V1_0_0_0 < V6_0_0_7 |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-35084",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-03T19:14:32.995589Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-03T19:14:54.458Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Single-A",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Double-A Profibus",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Double-A x-link",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Single-X",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Double-X CAN",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Double-X DALI",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Double-X KNX",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Double-X LON",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Double-X M-Bus",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Double-X PROFINET",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Double-X x-link",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Triple-X KNX+DALI",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Triple-X KNX+LON",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Triple-X KNX+M-Bus",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Triple-X PROFINET+DALI",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Triple-X PROFINET+KNX",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Triple-X PROFINET+LON",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Triple-X PROFINET+M-Bus",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:single_a_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:double_a_profibus_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:double_a_x_link_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:single_x_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:double_x_can_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:double_x_dali_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:double_x_knx_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:double_x_lon_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:double_x_m_bus_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:double_x_profinet_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:double_x_x_link_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:triple_x_knx_dali_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:triple_x_knx_lon_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:triple_x_knx_m_bus_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:triple_x_profinet_dali_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:triple_x_profinet_knx_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:triple_x_profinet_lon_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:triple_x_profinet_m_bus_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Damian Pfammatter from Armasuisse Cyber-Defence campus"
},
{
"lang": "en",
"type": "finder",
"value": "Daniel Hulliger from Armasuisse Cyber-Defence campus"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA remote attacker with user privileges can exploit a stack buffer overflow in dali-devconfig to gain full system access as root.\u003c/p\u003e"
}
],
"value": "A remote attacker with user privileges can exploit a stack buffer overflow in dali-devconfig to gain full system access as root."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-121",
"description": "CWE-121 Stack-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T10:31:00.391Z",
"orgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
"shortName": "CERTVDE"
},
"references": [
{
"url": "https://www.certvde.com/en/advisories/VDE-2026-039/"
}
],
"source": {
"advisory": "VDE-2026-039",
"defect": [
"CERT@VDE#642009"
],
"discovery": "UNKNOWN"
},
"title": "Stack buffer overflow in method dali-devconfig",
"x_generator": {
"engine": "Vulnogram 0.4.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
"assignerShortName": "CERTVDE",
"cveId": "CVE-2026-35084",
"datePublished": "2026-06-03T10:42:03.287Z",
"dateReserved": "2026-04-01T08:28:27.142Z",
"dateUpdated": "2026-06-09T10:31:00.391Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-35083 (GCVE-0-2026-35083)
Vulnerability from cvelistv5
Published
2026-06-03 10:41
Modified
2026-06-09 10:31
Severity ?
8.7 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
VLAI Severity ?
EPSS score ?
CWE
- CWE-121 - Stack-based Buffer Overflow
Summary
A remote attacker with user privileges can exploit a stack buffer overflow to gain full system access as root.
References
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| MBS | Single-A |
Version: V1_0_0_0 < V6_0_0_7 |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-35083",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-03T13:13:32.326556Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-03T14:07:23.610Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Single-A",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Double-A Profibus",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Double-A x-link",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Single-X",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Double-X CAN",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Double-X DALI",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Double-X KNX",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Double-X LON",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Double-X M-Bus",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Double-X PROFINET",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Double-X x-link",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Triple-X KNX+DALI",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Triple-X KNX+LON",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Triple-X KNX+M-Bus",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Triple-X PROFINET+DALI",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Triple-X PROFINET+KNX",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Triple-X PROFINET+LON",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Triple-X PROFINET+M-Bus",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:single_a_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:double_a_profibus_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:double_a_x_link_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:single_x_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:double_x_can_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:double_x_dali_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:double_x_knx_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:double_x_lon_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:double_x_m_bus_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:double_x_profinet_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:double_x_x_link_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:triple_x_knx_dali_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:triple_x_knx_lon_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:triple_x_knx_m_bus_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:triple_x_profinet_dali_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:triple_x_profinet_knx_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:triple_x_profinet_lon_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:triple_x_profinet_m_bus_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Damian Pfammatter from Armasuisse Cyber-Defence campus"
},
{
"lang": "en",
"type": "finder",
"value": "Daniel Hulliger from ArmasuisseCyber-Defence campus"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA remote attacker with user privileges can exploit a stack buffer overflow to gain full system access as root.\u003c/p\u003e"
}
],
"value": "A remote attacker with user privileges can exploit a stack buffer overflow to gain full system access as root."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-121",
"description": "CWE-121 Stack-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T10:31:42.916Z",
"orgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
"shortName": "CERTVDE"
},
"references": [
{
"url": "https://www.certvde.com/en/advisories/VDE-2026-039/"
}
],
"source": {
"advisory": "VDE-2026-039",
"defect": [
"CERT@VDE#642009"
],
"discovery": "UNKNOWN"
},
"title": "Stack buffer overflow in method bac-deviceobject",
"x_generator": {
"engine": "Vulnogram 0.4.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
"assignerShortName": "CERTVDE",
"cveId": "CVE-2026-35083",
"datePublished": "2026-06-03T10:41:44.226Z",
"dateReserved": "2026-04-01T08:28:27.142Z",
"dateUpdated": "2026-06-09T10:31:42.916Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-35082 (GCVE-0-2026-35082)
Vulnerability from cvelistv5
Published
2026-06-03 10:41
Modified
2026-06-09 10:33
Severity ?
8.7 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
VLAI Severity ?
EPSS score ?
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Summary
The ugw-logread method allows a remote attacker with user privileges to access arbitrary local files due to insufficient validation of user-supplied input.
References
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| MBS | Single-A |
Version: V1_0_0_0 < V6_0_0_7 |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-35082",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-03T14:17:16.483140Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-03T14:17:26.221Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Single-A",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Double-A Profibus",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Double-A x-link",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Single-X",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Double-X CAN",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Double-X DALI",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Double-X KNX",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Double-X LON",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Double-X M-Bus",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Double-X PROFINET",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Double-X x-link",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Triple-X KNX+DALI",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Triple-X KNX+LON",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Triple-X KNX+M-Bus",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Triple-X PROFINET+DALI",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Triple-X PROFINET+KNX",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Triple-X PROFINET+LON",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Triple-X PROFINET+M-Bus",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:single_a_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:double_a_profibus_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:double_a_x_link_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:single_x_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:double_x_can_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:double_x_dali_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:double_x_knx_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:double_x_lon_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:double_x_m_bus_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:double_x_profinet_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:double_x_x_link_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:triple_x_knx_dali_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:triple_x_knx_lon_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:triple_x_knx_m_bus_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:triple_x_profinet_dali_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:triple_x_profinet_knx_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:triple_x_profinet_lon_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:triple_x_profinet_m_bus_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Damian Pfammatter from Armasuisse Cyber-Defence campus"
},
{
"lang": "en",
"type": "finder",
"value": "Daniel Hulliger from Armasuisse Cyber-Defence campus"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe ugw-logread method allows a remote attacker with user privileges to access arbitrary local files due to insufficient validation of user-supplied input. \u003c/p\u003e"
}
],
"value": "The ugw-logread method allows a remote attacker with user privileges to access arbitrary local files due to insufficient validation of user-supplied input."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T10:33:20.489Z",
"orgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
"shortName": "CERTVDE"
},
"references": [
{
"url": "https://www.certvde.com/en/advisories/VDE-2026-039/"
}
],
"source": {
"advisory": "VDE-2026-039",
"defect": [
"CERT@VDE#642009"
],
"discovery": "UNKNOWN"
},
"title": "Local file inclusion vulnerability and deletion in ugw-logread method",
"x_generator": {
"engine": "Vulnogram 0.4.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
"assignerShortName": "CERTVDE",
"cveId": "CVE-2026-35082",
"datePublished": "2026-06-03T10:41:00.660Z",
"dateReserved": "2026-04-01T08:28:27.142Z",
"dateUpdated": "2026-06-09T10:33:20.489Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-35081 (GCVE-0-2026-35081)
Vulnerability from cvelistv5
Published
2026-06-03 10:40
Modified
2026-06-09 10:34
Severity ?
7.2 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N
8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
VLAI Severity ?
EPSS score ?
CWE
- CWE-20 - Improper Input Validation
Summary
The ugw-logstop method allows a remote attacker with user privileges to terminate arbitrary processes due to insufficient validation of user-supplied input.
References
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| MBS | Single-A |
Version: V1_0_0_0 < V6_0_0_7 |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-35081",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-03T12:43:08.950874Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-03T12:43:15.993Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Single-A",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Double-A Profibus",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Double-A x-link",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Single-X",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Double-X CAN",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Double-X DALI",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Double-X KNX",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Double-X LON",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Double-X M-Bus",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Double-X PROFINET",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Double-X x-link",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Triple-X KNX+DALI",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Triple-X KNX+LON",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Triple-X KNX+M-Bus",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Triple-X PROFINET+DALI",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Triple-X PROFINET+KNX",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Triple-X PROFINET+LON",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Triple-X PROFINET+M-Bus",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:single_a_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:double_a_profibus_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:double_a_x_link_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:single_x_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:double_x_can_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:double_x_dali_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:double_x_knx_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:double_x_lon_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:double_x_m_bus_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:double_x_profinet_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:double_x_x_link_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:triple_x_knx_dali_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:triple_x_knx_lon_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:triple_x_knx_m_bus_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:triple_x_profinet_dali_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:triple_x_profinet_knx_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:triple_x_profinet_lon_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:triple_x_profinet_m_bus_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Damian Pfammatter from Armasuisse Cyber-Defence campus"
},
{
"lang": "en",
"type": "finder",
"value": "Daniel Hulliger from Armasuisse Cyber-Defence campus"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe ugw-logstop method allows a remote attacker with user privileges to terminate arbitrary processes due to insufficient validation of user-supplied input.\u003c/p\u003e"
}
],
"value": "The ugw-logstop method allows a remote attacker with user privileges to terminate arbitrary processes due to insufficient validation of user-supplied input."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T10:34:04.926Z",
"orgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
"shortName": "CERTVDE"
},
"references": [
{
"url": "https://www.certvde.com/en/advisories/VDE-2026-039/"
}
],
"source": {
"advisory": "VDE-2026-039",
"defect": [
"CERT@VDE#642009"
],
"discovery": "UNKNOWN"
},
"title": "Arbitrary process termination vulnerability in method ugw-logstop",
"x_generator": {
"engine": "Vulnogram 0.4.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
"assignerShortName": "CERTVDE",
"cveId": "CVE-2026-35081",
"datePublished": "2026-06-03T10:40:44.560Z",
"dateReserved": "2026-04-01T08:28:27.141Z",
"dateUpdated": "2026-06-09T10:34:04.926Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-35080 (GCVE-0-2026-35080)
Vulnerability from cvelistv5
Published
2026-06-03 10:40
Modified
2026-06-09 10:35
Severity ?
7.2 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N
8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
VLAI Severity ?
EPSS score ?
CWE
- CWE-73 - External Control of File Name or Path
Summary
The ugw-restoreinfo method allows a remote attacker with user privileges to delete arbitrary local files due to insufficient validation of user-controlled input.
References
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| MBS | Single-A |
Version: V1_0_0_0 < V6_0_0_7 |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-35080",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-03T12:32:48.333684Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-03T12:34:20.844Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Single-A",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Double-A Profibus",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Double-A x-link",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Single-X",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Double-X CAN",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Double-X DALI",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Double-X KNX",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Double-X LON",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Double-X M-Bus",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Double-X PROFINET",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Double-X x-link",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Triple-X KNX+DALI",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Triple-X KNX+LON",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Triple-X KNX+M-Bus",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Triple-X PROFINET+DALI",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Triple-X PROFINET+KNX",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Triple-X PROFINET+LON",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Triple-X PROFINET+M-Bus",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:single_a_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:double_a_profibus_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:double_a_x_link_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:single_x_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:double_x_can_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:double_x_dali_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:double_x_knx_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:double_x_lon_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:double_x_m_bus_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:double_x_profinet_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:double_x_x_link_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:triple_x_knx_dali_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:triple_x_knx_lon_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:triple_x_knx_m_bus_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:triple_x_profinet_dali_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:triple_x_profinet_knx_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:triple_x_profinet_lon_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:triple_x_profinet_m_bus_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Damian Pfammatter from Armasuisse Cyber-Defence campus"
},
{
"lang": "en",
"type": "finder",
"value": "Daniel Hulliger from Armasuisse Cyber-Defence campus"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe ugw-restoreinfo method allows a remote attacker with user privileges to delete arbitrary local files due to insufficient validation of user-controlled input.\u003c/p\u003e"
}
],
"value": "The ugw-restoreinfo method allows a remote attacker with user privileges to delete arbitrary local files due to insufficient validation of user-controlled input."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-73",
"description": "CWE-73 External Control of File Name or Path",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T10:35:50.847Z",
"orgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
"shortName": "CERTVDE"
},
"references": [
{
"url": "https://www.certvde.com/en/advisories/VDE-2026-039/"
}
],
"source": {
"advisory": "VDE-2026-039",
"defect": [
"CERT@VDE#642009"
],
"discovery": "UNKNOWN"
},
"title": "Arbitrary file delete vulnerability in method ugw-restoreinfo",
"x_generator": {
"engine": "Vulnogram 0.4.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
"assignerShortName": "CERTVDE",
"cveId": "CVE-2026-35080",
"datePublished": "2026-06-03T10:40:25.172Z",
"dateReserved": "2026-04-01T08:28:27.141Z",
"dateUpdated": "2026-06-09T10:35:50.847Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-35079 (GCVE-0-2026-35079)
Vulnerability from cvelistv5
Published
2026-06-03 10:39
Modified
2026-06-09 10:36
Severity ?
7.2 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N
8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
VLAI Severity ?
EPSS score ?
CWE
- CWE-73 - External Control of File Name or Path
Summary
The ugw-restore method allows a remote attacker with user privileges to delete arbitrary local files due to insufficient validation of user-controlled input.
References
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| MBS | Single-A |
Version: V1_0_0_0 < V6_0_0_7 |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-35079",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-03T12:38:56.295555Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-03T12:39:03.497Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Single-A",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Double-A Profibus",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Double-A x-link",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Single-X",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Double-X CAN",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Double-X DALI",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Double-X KNX",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Double-X LON",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Double-X M-Bus",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Double-X PROFINET",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Double-X x-link",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Triple-X KNX+DALI",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Triple-X KNX+LON",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Triple-X KNX+M-Bus",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Triple-X PROFINET+DALI",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Triple-X PROFINET+KNX",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Triple-X PROFINET+LON",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Triple-X PROFINET+M-Bus",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:single_a_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:double_a_profibus_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:double_a_x_link_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:single_x_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:double_x_can_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:double_x_dali_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:double_x_knx_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:double_x_lon_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:double_x_m_bus_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:double_x_profinet_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:double_x_x_link_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:triple_x_knx_dali_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:triple_x_knx_lon_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:triple_x_knx_m_bus_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:triple_x_profinet_dali_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:triple_x_profinet_knx_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:triple_x_profinet_lon_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:triple_x_profinet_m_bus_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Damian Pfammatter from Armasuisse Cyber-Defence campus"
},
{
"lang": "en",
"type": "finder",
"value": "Daniel Hulliger from Armasuisse Cyber-Defence campus"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe ugw-restore method allows a remote attacker with user privileges to delete arbitrary local files due to insufficient validation of user-controlled input.\u003c/p\u003e"
}
],
"value": "The ugw-restore method allows a remote attacker with user privileges to delete arbitrary local files due to insufficient validation of user-controlled input."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-73",
"description": "CWE-73 External Control of File Name or Path",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T10:36:31.015Z",
"orgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
"shortName": "CERTVDE"
},
"references": [
{
"url": "https://www.certvde.com/en/advisories/VDE-2026-039/"
}
],
"source": {
"advisory": "VDE-2026-039",
"defect": [
"CERT@VDE#642009"
],
"discovery": "UNKNOWN"
},
"title": "Arbitrary file delete vulnerability in method ugw-restore",
"x_generator": {
"engine": "Vulnogram 0.4.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
"assignerShortName": "CERTVDE",
"cveId": "CVE-2026-35079",
"datePublished": "2026-06-03T10:39:51.326Z",
"dateReserved": "2026-04-01T08:28:27.141Z",
"dateUpdated": "2026-06-09T10:36:31.015Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-35078 (GCVE-0-2026-35078)
Vulnerability from cvelistv5
Published
2026-06-03 10:39
Modified
2026-06-09 10:37
Severity ?
7.2 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N
8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
VLAI Severity ?
EPSS score ?
CWE
- CWE-73 - External Control of File Name or Path
Summary
The ugw-logstop method allows a remote attacker with user privileges to delete arbitrary local files due to insufficient validation of user-controlled input.
References
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| MBS | Single-A |
Version: V1_0_0_0 < V6_0_0_7 |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-35078",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-03T13:13:48.270847Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-03T14:07:29.402Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Single-A",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Double-A Profibus",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Double-A x-link",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Single-X",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Double-X CAN",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Double-X DALI",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Double-X KNX",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Double-X LON",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Double-X M-Bus",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Double-X PROFINET",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Double-X x-link",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Triple-X KNX+DALI",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Triple-X KNX+LON",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Triple-X KNX+M-Bus",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Triple-X PROFINET+DALI",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Triple-X PROFINET+KNX",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Triple-X PROFINET+LON",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Triple-X PROFINET+M-Bus",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:single_a_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:double_a_profibus_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:double_a_x_link_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:single_x_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:double_x_can_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:double_x_dali_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:double_x_knx_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:double_x_lon_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:double_x_m_bus_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:double_x_profinet_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:double_x_x_link_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:triple_x_knx_dali_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:triple_x_knx_lon_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:triple_x_knx_m_bus_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:triple_x_profinet_dali_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:triple_x_profinet_knx_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:triple_x_profinet_lon_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:triple_x_profinet_m_bus_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Damian Pfammatter from Armasuisse Cyber-Defence campus"
},
{
"lang": "en",
"type": "finder",
"value": "Daniel Hulliger from Armasuisse Cyber-Defence campus"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe ugw-logstop method allows a remote attacker with user privileges to delete arbitrary local files due to insufficient validation of user-controlled input.\u003c/p\u003e"
}
],
"value": "The ugw-logstop method allows a remote attacker with user privileges to delete arbitrary local files due to insufficient validation of user-controlled input."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-73",
"description": "CWE-73 External Control of File Name or Path",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T10:37:00.591Z",
"orgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
"shortName": "CERTVDE"
},
"references": [
{
"url": "https://www.certvde.com/en/advisories/VDE-2026-039/"
}
],
"source": {
"advisory": "VDE-2026-039",
"defect": [
"CERT@VDE#642009"
],
"discovery": "UNKNOWN"
},
"title": "Arbitrary file delete vulnerability in method ugw-logstop",
"x_generator": {
"engine": "Vulnogram 0.4.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
"assignerShortName": "CERTVDE",
"cveId": "CVE-2026-35078",
"datePublished": "2026-06-03T10:39:33.498Z",
"dateReserved": "2026-04-01T08:28:27.141Z",
"dateUpdated": "2026-06-09T10:37:00.591Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-35077 (GCVE-0-2026-35077)
Vulnerability from cvelistv5
Published
2026-06-03 10:39
Modified
2026-06-09 10:37
Severity ?
7.2 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N
8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
VLAI Severity ?
EPSS score ?
CWE
- CWE-73 - External Control of File Name or Path
Summary
The ugw-delete-file method allows a remote attacker with user privileges to delete arbitrary local files due to insufficient validation of user-controlled input.
References
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| MBS | Single-A |
Version: V1_0_0_0 < V6_0_0_7 |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-35077",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-03T14:16:16.677133Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-03T14:16:50.642Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Single-A",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Double-A Profibus",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Double-A x-link",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Single-X",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Double-X CAN",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Double-X DALI",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Double-X KNX",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Double-X LON",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Double-X M-Bus",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Double-X PROFINET",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Double-X x-link",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Triple-X KNX+DALI",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Triple-X KNX+LON",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Triple-X KNX+M-Bus",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Triple-X PROFINET+DALI",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Triple-X PROFINET+KNX",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Triple-X PROFINET+LON",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Triple-X PROFINET+M-Bus",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:single_a_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:double_a_profibus_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:double_a_x_link_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:single_x_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:double_x_can_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:double_x_dali_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:double_x_knx_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:double_x_lon_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:double_x_m_bus_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:double_x_profinet_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:double_x_x_link_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:triple_x_knx_dali_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:triple_x_knx_lon_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:triple_x_knx_m_bus_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:triple_x_profinet_dali_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:triple_x_profinet_knx_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:triple_x_profinet_lon_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:triple_x_profinet_m_bus_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Damian Pfammatter from Armasuisse Cyber-Defence campus"
},
{
"lang": "en",
"type": "finder",
"value": "Daniel Hulliger from Armasuisse Cyber-Defence campus"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe ugw-delete-file method allows a remote attacker with user privileges to delete arbitrary local files due to insufficient validation of user-controlled input.\u003c/p\u003e"
}
],
"value": "The ugw-delete-file method allows a remote attacker with user privileges to delete arbitrary local files due to insufficient validation of user-controlled input."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-73",
"description": "CWE-73 External Control of File Name or Path",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T10:37:27.857Z",
"orgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
"shortName": "CERTVDE"
},
"references": [
{
"url": "https://www.certvde.com/en/advisories/VDE-2026-039/"
}
],
"source": {
"advisory": "VDE-2026-039",
"defect": [
"CERT@VDE#642009"
],
"discovery": "UNKNOWN"
},
"title": "Arbitrary file delete vulnerability in method ugw-delete-file",
"x_generator": {
"engine": "Vulnogram 0.4.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
"assignerShortName": "CERTVDE",
"cveId": "CVE-2026-35077",
"datePublished": "2026-06-03T10:39:12.567Z",
"dateReserved": "2026-04-01T08:28:27.141Z",
"dateUpdated": "2026-06-09T10:37:27.857Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-35076 (GCVE-0-2026-35076)
Vulnerability from cvelistv5
Published
2026-06-03 10:38
Modified
2026-06-09 10:37
Severity ?
7.2 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N
8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
VLAI Severity ?
EPSS score ?
CWE
- CWE-73 - External Control of File Name or Path
Summary
The bac-scanresult method allows a remote attacker with user privileges to delete arbitrary local files due to insufficient validation of user-controlled input.
References
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| MBS | Single-A |
Version: V1_0_0_0 < V6_0_0_7 |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-35076",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-03T12:43:26.903435Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-03T12:43:33.610Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Single-A",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Double-A Profibus",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Double-A x-link",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Single-X",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Double-X CAN",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Double-X DALI",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Double-X KNX",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Double-X LON",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Double-X M-Bus",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Double-X PROFINET",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Double-X x-link",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Triple-X KNX+DALI",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Triple-X KNX+LON",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Triple-X KNX+M-Bus",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Triple-X PROFINET+DALI",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Triple-X PROFINET+KNX",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Triple-X PROFINET+LON",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Triple-X PROFINET+M-Bus",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:single_a_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:double_a_profibus_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:double_a_x_link_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:single_x_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:double_x_can_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:double_x_dali_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:double_x_knx_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:double_x_lon_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:double_x_m_bus_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:double_x_profinet_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:double_x_x_link_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:triple_x_knx_dali_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:triple_x_knx_lon_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:triple_x_knx_m_bus_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:triple_x_profinet_dali_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:triple_x_profinet_knx_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:triple_x_profinet_lon_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:triple_x_profinet_m_bus_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Damian Pfammatter from Armasuisse Cyber-Defence campus"
},
{
"lang": "en",
"type": "finder",
"value": "Daniel Hulliger from Armasuisse Cyber-Defence campus"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe bac-scanresult method allows a remote attacker with user privileges to delete arbitrary local files due to insufficient validation of user-controlled input.\u003c/p\u003e"
}
],
"value": "The bac-scanresult method allows a remote attacker with user privileges to delete arbitrary local files due to insufficient validation of user-controlled input."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-73",
"description": "CWE-73 External Control of File Name or Path",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T10:37:57.484Z",
"orgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
"shortName": "CERTVDE"
},
"references": [
{
"url": "https://www.certvde.com/en/advisories/VDE-2026-039/"
}
],
"source": {
"advisory": "VDE-2026-039",
"defect": [
"CERT@VDE#642009"
],
"discovery": "UNKNOWN"
},
"title": "Arbitrary file delete vulnerability in method bac-scanresult",
"x_generator": {
"engine": "Vulnogram 0.4.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
"assignerShortName": "CERTVDE",
"cveId": "CVE-2026-35076",
"datePublished": "2026-06-03T10:38:49.975Z",
"dateReserved": "2026-04-01T08:28:27.141Z",
"dateUpdated": "2026-06-09T10:37:57.484Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-35075 (GCVE-0-2026-35075)
Vulnerability from cvelistv5
Published
2026-06-03 10:38
Modified
2026-06-09 10:38
Severity ?
9.3 (Critical) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
VLAI Severity ?
EPSS score ?
CWE
- CWE-1393 - Use of Default Password
Summary
An unauthenticated remote attacker can recover a default, hard coded password from a firmware image and thus gain full access to all affected devices.
References
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| MBS | Single-A |
Version: V1_0_0_0 < V6_0_0_7 |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-35075",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-03T12:39:57.652546Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-03T12:41:59.999Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Single-A",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Double-A Profibus",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Double-A x-link",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Single-X",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Double-X CAN",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Double-X DALI",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Double-X KNX",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Double-X LON",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Double-X M-Bus",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Double-X PROFINET",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Double-X x-link",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Triple-X KNX+DALI",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Triple-X KNX+LON",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Triple-X KNX+M-Bus",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Triple-X PROFINET+DALI",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Triple-X PROFINET+KNX",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Triple-X PROFINET+LON",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Triple-X PROFINET+M-Bus",
"vendor": "MBS",
"versions": [
{
"lessThan": "V6_0_0_7",
"status": "affected",
"version": "V1_0_0_0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:single_a_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:double_a_profibus_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:double_a_x_link_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:single_x_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:double_x_can_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:double_x_dali_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:double_x_knx_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:double_x_lon_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:double_x_m_bus_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:double_x_profinet_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:double_x_x_link_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:triple_x_knx_dali_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:triple_x_knx_lon_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:triple_x_knx_m_bus_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:triple_x_profinet_dali_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:triple_x_profinet_knx_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:triple_x_profinet_lon_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:mbs:triple_x_profinet_m_bus_firmware:*:*:*:*:*:*:*:*",
"versionEndExcluding": "V6_0_0_7",
"versionStartIncluding": "V1_0_0_0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Adrien Rey from Armasuisse Cyber-Defence campus"
},
{
"lang": "en",
"type": "finder",
"value": "Daniel Hulliger from Armasuisse Cyber-Defence campus"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAn unauthenticated remote attacker can recover a default, hard coded password from a firmware image and thus gain full access to all affected devices. \u003c/p\u003e"
}
],
"value": "An unauthenticated remote attacker can recover a default, hard coded password from a firmware image and thus gain full access to all affected devices."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1393",
"description": "CWE-1393 Use of Default Password",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T10:38:45.361Z",
"orgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
"shortName": "CERTVDE"
},
"references": [
{
"url": "https://www.certvde.com/en/advisories/VDE-2026-039/"
}
],
"source": {
"advisory": "VDE-2026-039",
"defect": [
"CERT@VDE#642009"
],
"discovery": "UNKNOWN"
},
"title": "Hardcoded default Password for Service Account",
"x_generator": {
"engine": "Vulnogram 0.4.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
"assignerShortName": "CERTVDE",
"cveId": "CVE-2026-35075",
"datePublished": "2026-06-03T10:38:23.515Z",
"dateReserved": "2026-04-01T08:28:27.141Z",
"dateUpdated": "2026-06-09T10:38:45.361Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-41772 (GCVE-0-2025-41772)
Vulnerability from cvelistv5
Published
2026-03-09 08:18
Modified
2026-03-09 18:18
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-598 - Use of GET Request Method With Sensitive Query Strings
Summary
An unauthenticated remote attacker can obtain valid session tokens because they are exposed in plaintext within the URL parameters of the wwwupdate.cgi endpoint in UBR.
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-41772",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-09T18:17:43.406586Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-09T18:18:41.648Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "UBR-01 Mk II",
"vendor": "MBS",
"versions": [
{
"lessThan": "6.0.1.0",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "UBR-02",
"vendor": "MBS",
"versions": [
{
"lessThan": "6.0.1.0",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "UBR-LON",
"vendor": "MBS",
"versions": [
{
"lessThan": "6.0.1.0",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Adrien Rey from Cyber Defense Campus Zurich"
},
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Daniel Hulliger from Armasuisse"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An unauthenticated remote attacker can obtain valid session tokens because they are exposed in plaintext within the URL parameters of the wwwupdate.cgi endpoint in UBR.\u003cbr\u003e"
}
],
"value": "An unauthenticated remote attacker can obtain valid session tokens because they are exposed in plaintext within the URL parameters of the wwwupdate.cgi endpoint in UBR."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-598",
"description": "CWE-598 Use of GET Request Method With Sensitive Query Strings",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-09T08:18:49.918Z",
"orgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
"shortName": "CERTVDE"
},
"references": [
{
"url": "https://www.mbs-solutions.de/mbs-2025-0001"
}
],
"source": {
"defect": [
"CERT@VDE#641895"
],
"discovery": "UNKNOWN"
},
"title": "wwwupdate.cgi Session token in URL",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
"assignerShortName": "CERTVDE",
"cveId": "CVE-2025-41772",
"datePublished": "2026-03-09T08:18:49.918Z",
"dateReserved": "2025-04-16T11:18:45.761Z",
"dateUpdated": "2026-03-09T18:18:41.648Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-41767 (GCVE-0-2025-41767)
Vulnerability from cvelistv5
Published
2026-03-09 08:18
Modified
2026-03-09 18:19
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-347 - Improper Verification of Cryptographic Signature
Summary
A high-privileged remote attacker can fully compromise the device by abusing an update signature bypass vulnerability in the wwwupdate.cgi method in the web interface of UBR.
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-41767",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-09T18:18:54.140033Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-09T18:19:09.365Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "UBR-01 Mk II",
"vendor": "MBS",
"versions": [
{
"lessThan": "6.0.1.0",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "UBR-02",
"vendor": "MBS",
"versions": [
{
"lessThan": "6.0.1.0",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "UBR-LON",
"vendor": "MBS",
"versions": [
{
"lessThan": "6.0.1.0",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Adrien Rey from Cyber Defense Campus Zurich"
},
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Daniel Hulliger from Armasuisse"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A high-privileged remote attacker can fully compromise the device by abusing an update signature bypass vulnerability in the wwwupdate.cgi method in the web interface of UBR.\u003cbr\u003e"
}
],
"value": "A high-privileged remote attacker can fully compromise the device by abusing an update signature bypass vulnerability in the wwwupdate.cgi method in the web interface of UBR."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-347",
"description": "CWE-347 Improper Verification of Cryptographic Signature",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-09T08:18:17.428Z",
"orgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
"shortName": "CERTVDE"
},
"references": [
{
"url": "https://www.mbs-solutions.de/mbs-2025-0001"
}
],
"source": {
"defect": [
"CERT@VDE#641895"
],
"discovery": "UNKNOWN"
},
"title": "Signature bypass on update upload",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
"assignerShortName": "CERTVDE",
"cveId": "CVE-2025-41767",
"datePublished": "2026-03-09T08:18:17.428Z",
"dateReserved": "2025-04-16T11:18:45.761Z",
"dateUpdated": "2026-03-09T18:19:09.365Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-41766 (GCVE-0-2025-41766)
Vulnerability from cvelistv5
Published
2026-03-09 08:18
Modified
2026-03-09 20:14
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-787 - Out-of-bounds Write
Summary
A low-privileged remote attacker can trigger a stack-based buffer overflow via a crafted HTTP POST request using the ubr-network method resulting in full device compromise.
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-41766",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-09T20:03:36.827793Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-09T20:14:03.688Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "UBR-01 Mk II",
"vendor": "MBS",
"versions": [
{
"lessThan": "6.0.1.0",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "UBR-02",
"vendor": "MBS",
"versions": [
{
"lessThan": "6.0.1.0",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "UBR-LON",
"vendor": "MBS",
"versions": [
{
"lessThan": "6.0.1.0",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Adrien Rey from Cyber Defense Campus Zurich"
},
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Daniel Hulliger from Armasuisse"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A low-privileged remote attacker can trigger a stack-based buffer overflow via a crafted HTTP POST request using the ubr-network method resulting in full device compromise.\u003cbr\u003e"
}
],
"value": "A low-privileged remote attacker can trigger a stack-based buffer overflow via a crafted HTTP POST request using the ubr-network method resulting in full device compromise."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "CWE-787 Out-of-bounds Write",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-09T08:18:03.783Z",
"orgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
"shortName": "CERTVDE"
},
"references": [
{
"url": "https://www.mbs-solutions.de/mbs-2025-0001"
}
],
"source": {
"defect": [
"CERT@VDE#641895"
],
"discovery": "UNKNOWN"
},
"title": "Stack buffer overflow on parsing web request",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
"assignerShortName": "CERTVDE",
"cveId": "CVE-2025-41766",
"datePublished": "2026-03-09T08:18:03.783Z",
"dateReserved": "2025-04-16T11:18:45.761Z",
"dateUpdated": "2026-03-09T20:14:03.688Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-41765 (GCVE-0-2025-41765)
Vulnerability from cvelistv5
Published
2026-03-09 08:17
Modified
2026-03-09 20:14
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-862 - Missing Authorization
Summary
Due to insufficient authorization enforcement, an unauthorized remote attacker can exploit the wwwupload.cgi endpoint to upload and apply arbitrary data. This includes, but is not limited to, contact images, HTTPS certificates, system backups for restoration, server peer configurations, and BACnet/SC server certificates and keys.
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-41765",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-09T20:03:25.311007Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-09T20:14:03.869Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "UBR-01 Mk II",
"vendor": "MBS",
"versions": [
{
"lessThan": "6.0.1.0",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "UBR-02",
"vendor": "MBS",
"versions": [
{
"lessThan": "6.0.1.0",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "UBR-LON",
"vendor": "MBS",
"versions": [
{
"lessThan": "6.0.1.0",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Adrien Rey from Cyber Defense Campus Zurich"
},
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Daniel Hulliger from Armasuisse"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Due to insufficient authorization enforcement, an unauthorized remote attacker can exploit the wwwupload.cgi endpoint to upload and apply arbitrary data. This includes, but is not limited to, contact images, HTTPS certificates, system backups for restoration, server peer configurations, and BACnet/SC server certificates and keys.\u003cbr\u003e"
}
],
"value": "Due to insufficient authorization enforcement, an unauthorized remote attacker can exploit the wwwupload.cgi endpoint to upload and apply arbitrary data. This includes, but is not limited to, contact images, HTTPS certificates, system backups for restoration, server peer configurations, and BACnet/SC server certificates and keys."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-09T08:17:54.920Z",
"orgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
"shortName": "CERTVDE"
},
"references": [
{
"url": "https://www.mbs-solutions.de/mbs-2025-0001"
}
],
"source": {
"defect": [
"CERT@VDE#641895"
],
"discovery": "UNKNOWN"
},
"title": "Unchecked role in wwwupload.cgi",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
"assignerShortName": "CERTVDE",
"cveId": "CVE-2025-41765",
"datePublished": "2026-03-09T08:17:54.920Z",
"dateReserved": "2025-04-16T11:18:45.760Z",
"dateUpdated": "2026-03-09T20:14:03.869Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-41764 (GCVE-0-2025-41764)
Vulnerability from cvelistv5
Published
2026-03-09 08:17
Modified
2026-03-09 20:14
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-862 - Missing Authorization
Summary
Due to insufficient authorization enforcement, an unauthorized remote attacker can exploit the wwwupdate.cgi endpoint to upload and apply arbitrary updates.
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-41764",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-09T20:03:13.228044Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-09T20:14:04.019Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "UBR-01 Mk II",
"vendor": "MBS",
"versions": [
{
"lessThan": "6.0.1.0",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "UBR-02",
"vendor": "MBS",
"versions": [
{
"lessThan": "6.0.1.0",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "UBR-LON",
"vendor": "MBS",
"versions": [
{
"lessThan": "6.0.1.0",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Adrien Rey from Cyber Defense Campus Zurich"
},
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Daniel Hulliger from Armasuisse"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Due to insufficient authorization enforcement, an unauthorized remote attacker can exploit the wwwupdate.cgi endpoint to upload and apply arbitrary updates.\u003cbr\u003e"
}
],
"value": "Due to insufficient authorization enforcement, an unauthorized remote attacker can exploit the wwwupdate.cgi endpoint to upload and apply arbitrary updates."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-09T08:17:45.486Z",
"orgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
"shortName": "CERTVDE"
},
"references": [
{
"url": "https://www.mbs-solutions.de/mbs-2025-0001"
}
],
"source": {
"defect": [
"CERT@VDE#641895"
],
"discovery": "UNKNOWN"
},
"title": "Unchecked role in wwwupdate.cgi",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
"assignerShortName": "CERTVDE",
"cveId": "CVE-2025-41764",
"datePublished": "2026-03-09T08:17:45.486Z",
"dateReserved": "2025-04-16T11:18:45.760Z",
"dateUpdated": "2026-03-09T20:14:04.019Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-41763 (GCVE-0-2025-41763)
Vulnerability from cvelistv5
Published
2026-03-09 08:17
Modified
2026-03-09 20:14
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-497 - Exposure of Sensitive System Information to an Unauthorized Control Sphere
Summary
A low‑privileged remote attacker can directly interact with the wwwdnload.cgi endpoint to download any resource available to administrators, including system backups and certificate request files.
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-41763",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-09T20:03:00.492923Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-09T20:14:04.157Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "UBR-01 Mk II",
"vendor": "MBS",
"versions": [
{
"lessThan": "6.0.1.0",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "UBR-02",
"vendor": "MBS",
"versions": [
{
"lessThan": "6.0.1.0",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "UBR-LON",
"vendor": "MBS",
"versions": [
{
"lessThan": "6.0.1.0",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Adrien Rey from Cyber Defense Campus Zurich"
},
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Daniel Hulliger from Armasuisse"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A low\u2011privileged remote attacker can directly interact with the wwwdnload.cgi endpoint to download any resource available to administrators, including system backups and certificate request files.\u003cbr\u003e"
}
],
"value": "A low\u2011privileged remote attacker can directly interact with the wwwdnload.cgi endpoint to download any resource available to administrators, including system backups and certificate request files."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-497",
"description": "CWE-497 Exposure of Sensitive System Information to an Unauthorized Control Sphere",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-09T08:17:36.947Z",
"orgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
"shortName": "CERTVDE"
},
"references": [
{
"url": "https://www.mbs-solutions.de/mbs-2025-0001"
}
],
"source": {
"defect": [
"CERT@VDE#641895"
],
"discovery": "UNKNOWN"
},
"title": "Unchecked role in wwwdnload.cgi",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
"assignerShortName": "CERTVDE",
"cveId": "CVE-2025-41763",
"datePublished": "2026-03-09T08:17:36.947Z",
"dateReserved": "2025-04-16T11:18:45.760Z",
"dateUpdated": "2026-03-09T20:14:04.157Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-41762 (GCVE-0-2025-41762)
Vulnerability from cvelistv5
Published
2026-03-09 08:17
Modified
2026-03-09 20:14
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-328 - Use of Weak Hash
Summary
An unauthenticated attacker can abuse the weak hash of the backup generated by the wwwdnload.cgi endpoint to gain unauthorized access to sensitive data, including password hashes and certificates.
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-41762",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-09T20:02:52.027636Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-09T20:14:04.321Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "UBR-01 Mk II",
"vendor": "MBS",
"versions": [
{
"lessThan": "6.0.1.0",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "UBR-02",
"vendor": "MBS",
"versions": [
{
"lessThan": "6.0.1.0",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "UBR-LON",
"vendor": "MBS",
"versions": [
{
"lessThan": "6.0.1.0",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Adrien Rey from Cyber Defense Campus Zurich"
},
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Daniel Hulliger from Armasuisse"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An unauthenticated attacker can abuse the weak hash of the backup generated by the wwwdnload.cgi endpoint to gain unauthorized access to sensitive data, including password hashes and certificates.\u003cbr\u003e"
}
],
"value": "An unauthenticated attacker can abuse the weak hash of the backup generated by the wwwdnload.cgi endpoint to gain unauthorized access to sensitive data, including password hashes and certificates."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-328",
"description": "CWE-328 Use of Weak Hash",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-09T08:17:27.510Z",
"orgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
"shortName": "CERTVDE"
},
"references": [
{
"url": "https://www.mbs-solutions.de/mbs-2025-0001"
}
],
"source": {
"defect": [
"CERT@VDE#641895"
],
"discovery": "UNKNOWN"
},
"title": "Secret leak with wwwdnload.cgi",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
"assignerShortName": "CERTVDE",
"cveId": "CVE-2025-41762",
"datePublished": "2026-03-09T08:17:27.510Z",
"dateReserved": "2025-04-16T11:18:45.760Z",
"dateUpdated": "2026-03-09T20:14:04.321Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-41761 (GCVE-0-2025-41761)
Vulnerability from cvelistv5
Published
2026-03-09 08:17
Modified
2026-03-09 20:14
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-88 - Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
Summary
A low‑privileged local attacker who gains access to the UBR service account (e.g., via SSH) can escalate privileges to obtain full system access. This is due to the service account being permitted to execute certain binaries (e.g., tcpdump and ip) with sudo.
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-41761",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-09T20:02:37.352857Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-09T20:14:04.600Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "UBR-01 Mk II",
"vendor": "MBS",
"versions": [
{
"lessThan": "6.0.1.0",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "UBR-02",
"vendor": "MBS",
"versions": [
{
"lessThan": "6.0.1.0",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "UBR-LON",
"vendor": "MBS",
"versions": [
{
"lessThan": "6.0.1.0",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Adrien Rey from Cyber Defense Campus Zurich"
},
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Daniel Hulliger from Armasuisse"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A low\u2011privileged local attacker who gains access to the UBR service account (e.g., via SSH) can escalate privileges to obtain full system access. This is due to the service account being permitted to execute certain binaries (e.g., tcpdump and ip) with sudo.\u003cbr\u003e"
}
],
"value": "A low\u2011privileged local attacker who gains access to the UBR service account (e.g., via SSH) can escalate privileges to obtain full system access. This is due to the service account being permitted to execute certain binaries (e.g., tcpdump and ip) with sudo."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-88",
"description": "CWE-88 Improper Neutralization of Argument Delimiters in a Command (\u0027Argument Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-09T08:17:11.116Z",
"orgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
"shortName": "CERTVDE"
},
"references": [
{
"url": "https://www.mbs-solutions.de/mbs-2025-0001"
}
],
"source": {
"defect": [
"CERT@VDE#641895"
],
"discovery": "UNKNOWN"
},
"title": "Privilege escalation possible",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
"assignerShortName": "CERTVDE",
"cveId": "CVE-2025-41761",
"datePublished": "2026-03-09T08:17:11.116Z",
"dateReserved": "2025-04-16T11:18:45.760Z",
"dateUpdated": "2026-03-09T20:14:04.600Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-41760 (GCVE-0-2025-41760)
Vulnerability from cvelistv5
Published
2026-03-09 08:16
Modified
2026-03-09 20:14
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-636 - Not Failing Securely ('Failing Open')
Summary
An administrator may attempt to block all traffic by configuring a pass filter with an empty table. However, in UBR, an empty list does not enforce any restrictions and allows all network traffic to pass unfiltered.
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-41760",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-09T20:02:28.122177Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-09T20:14:05.647Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "UBR-01 Mk II",
"vendor": "MBS",
"versions": [
{
"lessThan": "6.0.1.0",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "UBR-02",
"vendor": "MBS",
"versions": [
{
"lessThan": "6.0.1.0",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "UBR-LON",
"vendor": "MBS",
"versions": [
{
"lessThan": "6.0.1.0",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Adrien Rey from Cyber Defense Campus Zurich"
},
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Daniel Hulliger from Armasuisse"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An administrator may attempt to block all traffic by configuring a pass filter with an empty table. However, in UBR, an empty list does not enforce any restrictions and allows all network traffic to pass unfiltered.\u003cbr\u003e"
}
],
"value": "An administrator may attempt to block all traffic by configuring a pass filter with an empty table. However, in UBR, an empty list does not enforce any restrictions and allows all network traffic to pass unfiltered."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-636",
"description": "CWE-636 Not Failing Securely (\u0027Failing Open\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-09T08:16:55.770Z",
"orgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
"shortName": "CERTVDE"
},
"references": [
{
"url": "https://www.mbs-solutions.de/mbs-2025-0001"
}
],
"source": {
"defect": [
"CERT@VDE#641895"
],
"discovery": "UNKNOWN"
},
"title": "Pass filter with Empty Table",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
"assignerShortName": "CERTVDE",
"cveId": "CVE-2025-41760",
"datePublished": "2026-03-09T08:16:55.770Z",
"dateReserved": "2025-04-16T11:18:45.760Z",
"dateUpdated": "2026-03-09T20:14:05.647Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-41759 (GCVE-0-2025-41759)
Vulnerability from cvelistv5
Published
2026-03-09 08:16
Modified
2026-03-09 20:14
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-636 - Not Failing Securely ('Failing Open')
Summary
An administrator may attempt to block all networks by specifying "\*" or "all" as the network identifier. However, these values are not supported and do not trigger any validation error. Instead, they are silently interpreted as network 0 which results in no networks being blocked at all.
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-41759",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-09T20:02:16.957824Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-09T20:14:05.817Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "UBR-01 Mk II",
"vendor": "MBS",
"versions": [
{
"lessThan": "6.0.1.0",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "UBR-02",
"vendor": "MBS",
"versions": [
{
"lessThan": "6.0.1.0",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "UBR-LON",
"vendor": "MBS",
"versions": [
{
"lessThan": "6.0.1.0",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Adrien Rey from Cyber Defense Campus Zurich"
},
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Daniel Hulliger from Armasuisse"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An administrator may attempt to block all networks by specifying \"\\*\" or \"all\" as the network identifier. However, these values are not supported and do not trigger any validation error. Instead, they are silently interpreted as network 0 which results in no networks being blocked at all.\u003cbr\u003e"
}
],
"value": "An administrator may attempt to block all networks by specifying \"\\*\" or \"all\" as the network identifier. However, these values are not supported and do not trigger any validation error. Instead, they are silently interpreted as network 0 which results in no networks being blocked at all."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-636",
"description": "CWE-636 Not Failing Securely (\u0027Failing Open\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-09T08:16:46.067Z",
"orgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
"shortName": "CERTVDE"
},
"references": [
{
"url": "https://www.mbs-solutions.de/mbs-2025-0001"
}
],
"source": {
"defect": [
"CERT@VDE#641895"
],
"discovery": "UNKNOWN"
},
"title": "Use of wildcard (\u201c*\u201d or \u201call\u201d) in Block list",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
"assignerShortName": "CERTVDE",
"cveId": "CVE-2025-41759",
"datePublished": "2026-03-09T08:16:46.067Z",
"dateReserved": "2025-04-16T11:18:45.760Z",
"dateUpdated": "2026-03-09T20:14:05.817Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-41758 (GCVE-0-2025-41758)
Vulnerability from cvelistv5
Published
2026-03-09 08:16
Modified
2026-03-09 20:14
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Summary
A low-privileged remote attacker can exploit an arbitrary file write vulnerability in the wwupload.cgi endpoint. Due to path traversal this can lead to overwriting arbitrary files on the device and achieving a full system compromise.
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-41758",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-09T20:02:06.656318Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-09T20:14:05.983Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "UBR-01 Mk II",
"vendor": "MBS",
"versions": [
{
"lessThan": "6.0.1.0",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "UBR-02",
"vendor": "MBS",
"versions": [
{
"lessThan": "6.0.1.0",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "UBR-LON",
"vendor": "MBS",
"versions": [
{
"lessThan": "6.0.1.0",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Adrien Rey from Cyber Defense Campus Zurich"
},
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Daniel Hulliger from Armasuisse"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A low-privileged remote attacker can exploit an arbitrary file write vulnerability in the wwupload.cgi endpoint. Due to path traversal this can lead to overwriting arbitrary files on the device and achieving a full system compromise.\u003cbr\u003e"
}
],
"value": "A low-privileged remote attacker can exploit an arbitrary file write vulnerability in the wwupload.cgi endpoint. Due to path traversal this can lead to overwriting arbitrary files on the device and achieving a full system compromise."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-09T08:16:30.500Z",
"orgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
"shortName": "CERTVDE"
},
"references": [
{
"url": "https://www.mbs-solutions.de/mbs-2025-0001"
}
],
"source": {
"defect": [
"CERT@VDE#641895"
],
"discovery": "UNKNOWN"
},
"title": "Arbitrary Write with wwwupload.cgi",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
"assignerShortName": "CERTVDE",
"cveId": "CVE-2025-41758",
"datePublished": "2026-03-09T08:16:30.500Z",
"dateReserved": "2025-04-16T11:18:45.760Z",
"dateUpdated": "2026-03-09T20:14:05.983Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-41757 (GCVE-0-2025-41757)
Vulnerability from cvelistv5
Published
2026-03-09 08:16
Modified
2026-03-09 20:14
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Summary
A low-privileged remote attacker can abuse the backup restore functionality of UBR (ubr-restore) which runs with elevated privileges and does not validate the contents of the backup archive to create or overwrite arbitrary files anywhere on the system.
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-41757",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-09T20:01:53.568390Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-09T20:14:06.180Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "UBR-01 Mk II",
"vendor": "MBS",
"versions": [
{
"lessThan": "6.0.1.0",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "UBR-02",
"vendor": "MBS",
"versions": [
{
"lessThan": "6.0.1.0",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "UBR-LON",
"vendor": "MBS",
"versions": [
{
"lessThan": "6.0.1.0",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Adrien Rey from Cyber Defense Campus Zurich"
},
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Daniel Hulliger from Armasuisse"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A low-privileged remote attacker can abuse the backup restore functionality of UBR (ubr-restore) which runs with elevated privileges and does not validate the contents of the backup archive to create or overwrite arbitrary files anywhere on the system.\u003cbr\u003e"
}
],
"value": "A low-privileged remote attacker can abuse the backup restore functionality of UBR (ubr-restore) which runs with elevated privileges and does not validate the contents of the backup archive to create or overwrite arbitrary files anywhere on the system."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-09T08:16:20.464Z",
"orgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
"shortName": "CERTVDE"
},
"references": [
{
"url": "https://www.mbs-solutions.de/mbs-2025-0001"
}
],
"source": {
"defect": [
"CERT@VDE#641895"
],
"discovery": "UNKNOWN"
},
"title": "Arbitrary Write with ubr-restore",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
"assignerShortName": "CERTVDE",
"cveId": "CVE-2025-41757",
"datePublished": "2026-03-09T08:16:20.464Z",
"dateReserved": "2025-04-16T11:18:45.760Z",
"dateUpdated": "2026-03-09T20:14:06.180Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-41756 (GCVE-0-2025-41756)
Vulnerability from cvelistv5
Published
2026-03-09 08:16
Modified
2026-03-09 20:14
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-1242 - Inclusion of Undocumented Features or Chicken Bits
Summary
A low-privileged remote attacker can exploit the ubr-editfile method in wwwubr.cgi, an undocumented and unused API endpoint to write arbitrary files on the system.
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-41756",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-09T20:01:41.875068Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-09T20:14:06.365Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "UBR-01 Mk II",
"vendor": "MBS",
"versions": [
{
"lessThan": "6.0.1.0",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "UBR-02",
"vendor": "MBS",
"versions": [
{
"lessThan": "6.0.1.0",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "UBR-LON",
"vendor": "MBS",
"versions": [
{
"lessThan": "6.0.1.0",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Adrien Rey from Cyber Defense Campus Zurich"
},
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Daniel Hulliger from Armasuisse"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A low-privileged remote attacker can exploit the ubr-editfile method in wwwubr.cgi, an undocumented and unused API endpoint to write arbitrary files on the system.\u003cbr\u003e"
}
],
"value": "A low-privileged remote attacker can exploit the ubr-editfile method in wwwubr.cgi, an undocumented and unused API endpoint to write arbitrary files on the system."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1242",
"description": "CWE-1242 Inclusion of Undocumented Features or Chicken Bits",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-09T08:16:10.423Z",
"orgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
"shortName": "CERTVDE"
},
"references": [
{
"url": "https://www.mbs-solutions.de/mbs-2025-0001"
}
],
"source": {
"defect": [
"CERT@VDE#641895"
],
"discovery": "UNKNOWN"
},
"title": "Arbitrary Write with ubr-editfile",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
"assignerShortName": "CERTVDE",
"cveId": "CVE-2025-41756",
"datePublished": "2026-03-09T08:16:10.423Z",
"dateReserved": "2025-04-16T11:18:45.759Z",
"dateUpdated": "2026-03-09T20:14:06.365Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-41755 (GCVE-0-2025-41755)
Vulnerability from cvelistv5
Published
2026-03-09 08:16
Modified
2026-03-09 20:14
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Summary
A low-privileged remote attacker can exploit the ubr-logread method in wwwubr.cgi to read arbitrary files on the system. The endpoint accepts a parameter specifying the log file to open (e.g., /tmp/weblog{some_number}), but this parameter is not properly validated, allowing an attacker to modify it to reference any file and retrieve its contents.
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-41755",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-09T20:01:31.567720Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-09T20:14:06.501Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "UBR-01 Mk II",
"vendor": "MBS",
"versions": [
{
"lessThan": "6.0.1.0",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "UBR-02",
"vendor": "MBS",
"versions": [
{
"lessThan": "6.0.1.0",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "UBR-LON",
"vendor": "MBS",
"versions": [
{
"lessThan": "6.0.1.0",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Adrien Rey from Cyber Defense Campus Zurich"
},
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Daniel Hulliger from Armasuisse"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A low-privileged remote attacker can exploit the ubr-logread method in wwwubr.cgi to read arbitrary files on the system. The endpoint accepts a parameter specifying the log file to open (e.g., /tmp/weblog{some_number}), but this parameter is not properly validated, allowing an attacker to modify it to reference any file and retrieve its contents.\u003cbr\u003e"
}
],
"value": "A low-privileged remote attacker can exploit the ubr-logread method in wwwubr.cgi to read arbitrary files on the system. The endpoint accepts a parameter specifying the log file to open (e.g., /tmp/weblog{some_number}), but this parameter is not properly validated, allowing an attacker to modify it to reference any file and retrieve its contents."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-09T08:16:00.702Z",
"orgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
"shortName": "CERTVDE"
},
"references": [
{
"url": "https://www.mbs-solutions.de/mbs-2025-0001"
}
],
"source": {
"defect": [
"CERT@VDE#641895"
],
"discovery": "UNKNOWN"
},
"title": "Arbitrary Read with ubr-logread",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
"assignerShortName": "CERTVDE",
"cveId": "CVE-2025-41755",
"datePublished": "2026-03-09T08:16:00.702Z",
"dateReserved": "2025-04-16T11:18:45.759Z",
"dateUpdated": "2026-03-09T20:14:06.501Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-41754 (GCVE-0-2025-41754)
Vulnerability from cvelistv5
Published
2026-03-09 08:15
Modified
2026-03-09 20:14
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-1242 - Inclusion of Undocumented Features or Chicken Bits
Summary
A low-privileged remote attacker can exploit the ubr-editfile method in wwwubr.cgi, an undocumented and unused API endpoint to read arbitrary files on the system.
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-41754",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-09T20:01:21.260674Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-09T20:14:06.663Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "UBR-01 Mk II",
"vendor": "MBS",
"versions": [
{
"lessThan": "6.0.1.0",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "UBR-02",
"vendor": "MBS",
"versions": [
{
"lessThan": "6.0.1.0",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "UBR-LON",
"vendor": "MBS",
"versions": [
{
"lessThan": "6.0.1.0",
"status": "affected",
"version": "0.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Adrien Rey from Cyber Defense Campus Zurich"
},
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Daniel Hulliger from Armasuisse"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A low-privileged remote attacker can exploit the ubr-editfile method in wwwubr.cgi, an undocumented and unused API endpoint to read arbitrary files on the system.\u003cbr\u003e"
}
],
"value": "A low-privileged remote attacker can exploit the ubr-editfile method in wwwubr.cgi, an undocumented and unused API endpoint to read arbitrary files on the system."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1242",
"description": "CWE-1242 Inclusion of Undocumented Features or Chicken Bits",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-09T08:15:49.619Z",
"orgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
"shortName": "CERTVDE"
},
"references": [
{
"url": "https://www.mbs-solutions.de/mbs-2025-0001"
}
],
"source": {
"defect": [
"CERT@VDE#641895"
],
"discovery": "UNKNOWN"
},
"title": "Arbitrary Read with ubr-editfile",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
"assignerShortName": "CERTVDE",
"cveId": "CVE-2025-41754",
"datePublished": "2026-03-09T08:15:49.619Z",
"dateReserved": "2025-04-16T11:18:45.759Z",
"dateUpdated": "2026-03-09T20:14:06.663Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}