Primary

Context

MB Connect Line and Helmholz MyREX24V2: Pre-Authentication Blind SQL Injection Vulnerability

Vulnerability

Patched

A pre-authentication blind SQL injection vulnerability has been identified in the userinfo endpoint's authentication method of MB connect line mbCONNECT24/mymbCONNECT24 and Helmholz myREX24V2/myREX24V2.virtual, all running firmware through 2.19.3. This vulnerability allows unauthenticated remote attackers to exploit improper neutralization of special elements in a SQL SELECT command, leading to arbitrary read access of the complete database.

Impact

Exploitation of this vulnerability allows for unauthenticated blind SQL injection, resulting in arbitrary read access to the entire database.

Remediation

Users are advised to update their mbCONNECT24/mymbCONNECT24 or myREX24V2/myREX24V2.virtual instance to version 2.19.4.

Added: Mar 23, 2026, 12:18 PM

Updated: Mar 23, 2026, 12:18 PM

Vulnerability Rating

Custom Algorithm

spread

0.3

impact

2.5

exploitability

7.8

remediation

7.7

relevance

4.6

threat

0.0

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.3

impact

2.5

exploitability

7.8

remediation

7.7

relevance

4.6

threat

0.0

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

MB Connect Line and Helmholz MyREX24V2: Pre-Authentication Blind SQL Injection Vulnerability

Vulnerability

Impact

Remediation

Affected Products

MB connect line mbCONNECT24

MB connect line mymbCONNECT24

Helmholz myREX24V2

Helmholz myREX24V2.virtual

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating