Platform
other
Component
mbconnect24
Fixed in
2.19.5
2.19.5
CVE-2026-33614 describes an unauthenticated SQL Injection vulnerability affecting mbCONNECT24. An unauthenticated remote attacker can exploit this vulnerability via the getinfo endpoint, potentially leading to a total loss of confidentiality. This affects versions 0.0.0 through 2.19.4. No official patch is currently available.
CVE-2026-33614 affects mbCONNECT24, exposing a critical SQL Injection vulnerability in the 'getinfo' endpoint. An unauthenticated remote attacker can exploit this vulnerability due to improper neutralization of special characters in SQL SELECT commands. The vulnerability is rated with a CVSS score of 7.5, indicating a high risk. Successful exploitation could result in a total loss of data confidentiality, including sensitive user and system information stored in the database. The absence of a fix available exacerbates the situation, requiring immediate attention to mitigate the risk. The lack of a KEV (Kernel Event) suggests the issue hasn't been officially recognized by the vendor, hindering information and solution acquisition.
The vulnerability resides in the 'getinfo' endpoint of mbCONNECT24, which appears to be accessible without authentication. An attacker can manipulate the input parameters of this endpoint to inject malicious SQL code into SELECT queries. The lack of input validation and sanitization allows special SQL characters (such as single quotes, double quotes, periods, and semicolons) to be interpreted as part of the query, rather than as data. This allows the attacker to modify the query logic, extracting sensitive data, modifying records, or even executing arbitrary commands on the database. The absence of authentication greatly facilitates exploitation, as anyone with network access can attempt to exploit the vulnerability.
Exploit Status
EPSS
0.06% (20% percentile)
CISA SSVC
CVSS Vector
Given that no official fix is provided by the mbCONNECT24 vendor, mitigation measures should focus on reducing the risk of exploitation. We strongly recommend isolating affected systems from the public network to prevent unauthorized access. Implementing firewalls and intrusion detection systems (IDS) can help identify and block exploitation attempts. Thorough security audits of the source code and system configuration can reveal additional potential weaknesses. Consider implementing a Web Application Firewall (WAF) to filter malicious traffic directed at the 'getinfo' endpoint. Actively monitoring system logs for suspicious activity related to SQL injection is crucial. Communicating with the vendor to request a solution is essential.
Actualice mbCONNECT24 a una versión posterior a la 2.19.4 para corregir la vulnerabilidad de inyección SQL. Consulte el aviso de seguridad del proveedor para obtener más detalles e instrucciones específicas de actualización.
Vulnerability analysis and critical alerts directly to your inbox.
It's a unique identifier for a specific security vulnerability in mbCONNECT24 software.
It allows an attacker to access confidential information without authentication, potentially leading to a total loss of confidentiality.
Isolate the system from the public network, implement firewalls and WAFs, and monitor system logs.
Currently, there is no official fix provided by the vendor. Contacting the vendor to request a fix is recommended.
KEV is a kernel event identifier. The absence of a KEV indicates that the issue hasn't been officially recognized by the vendor.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.