CVE-2025-3090
BaseFortify
Publication date: 2025-06-24
Last updated on: 2025-06-26
Assigner: CERT VDE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-3090 is a vulnerability in certain products (mbCONNECT24, mymbCONNECT24, myREX24, and myREX24.virtual) prior to version 2.18.0. It occurs because the mb24api endpoint, accessible via VPN, lacks authentication for critical functions. This missing authentication allows an unauthenticated remote attacker to access limited sensitive information such as user and device names and to perform a denial-of-service (DoS) attack on the device. [1, 2]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an unauthenticated remote attacker to obtain limited sensitive information (like user and device names) and to cause a denial-of-service (DoS) attack on your device, potentially disrupting availability and service. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
The recommended immediate step to mitigate this vulnerability is to update the affected products (mbCONNECT24, mymbCONNECT24, myREX24, and myREX24.virtual) to version 2.18.0 or later, which addresses the missing authentication issue in the mb24api endpoint. [1, 2]