Platform
other
Component
mbconnect24
Fixed in
2.19.5
2.19.5
CVE-2026-33615 describes a critical SQL Injection vulnerability affecting mbCONNECT24 versions from 0.0.0 through 2.19.4. This vulnerability allows an unauthenticated attacker to inject malicious SQL code via the setinfo endpoint, potentially compromising the entire system. The vulnerability was publicly disclosed on April 2, 2026, and a patch is expected to be released by the vendor.
The SQL Injection vulnerability in mbCONNECT24 poses a significant risk to data integrity and system availability. An attacker exploiting this flaw can execute arbitrary SQL commands against the database, potentially leading to unauthorized data access, modification, or deletion. This could include sensitive customer information, financial records, or configuration data. Furthermore, the attacker could leverage the injected SQL to gain control of the underlying database server, enabling lateral movement within the network and potentially impacting other connected systems. The lack of authentication required to exploit the vulnerability significantly broadens the attack surface, making it accessible to a wide range of malicious actors.
CVE-2026-33615 has been publicly disclosed and carries a CRITICAL CVSS score of 9.1. The lack of authentication required for exploitation increases the likelihood of active scanning and potential exploitation. No public proof-of-concept (PoC) code has been released as of the disclosure date, but the ease of exploitation suggests that PoCs may emerge quickly. Monitor security advisories and threat intelligence feeds for updates on exploitation activity.
Exploit Status
EPSS
0.10% (28% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-33615 is to upgrade mbCONNECT24 to a patched version as soon as it becomes available. Until a patch is released, consider implementing temporary workarounds to reduce the risk. These may include restricting access to the setinfo endpoint using a Web Application Firewall (WAF) or proxy server, implementing strict input validation on all parameters passed to the endpoint, and regularly monitoring database activity for suspicious queries. Review and harden database user permissions to limit the impact of a successful SQL injection attack. After upgrading, confirm the vulnerability is resolved by attempting a controlled SQL injection test on the setinfo endpoint.
Update mbCONNECT24 to a version later than 2.19.4. This fixes the SQL Injection vulnerability and prevents loss of system integrity and availability.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33615 is a critical SQL Injection vulnerability in mbCONNECT24 versions 0.0.0–2.19.4, allowing unauthenticated attackers to inject malicious SQL code and potentially compromise the entire system.
If you are running mbCONNECT24 versions 0.0.0 through 2.19.4, you are potentially affected by this vulnerability. Assess your exposure and prioritize patching.
The recommended fix is to upgrade to a patched version of mbCONNECT24 as soon as it becomes available. Until then, implement temporary workarounds like WAF rules and input validation.
While no active exploitation has been confirmed, the vulnerability's criticality and ease of exploitation suggest a high likelihood of future attacks. Monitor for suspicious activity.
Refer to the official mbCONNECT24 website or security mailing list for the latest advisory and patch information. Check vendor's security page.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.