CVE-2026-32968
Received Received - Intake
Remote Code Execution in com_mb24sysapi Module via OS Command Injection

Publication date: 2026-03-23

Last updated on: 2026-03-23

Assigner: CERT VDE

Description
Due to the improper neutralisation of special elements used in an OS command, an unauthenticated remote attacker can exploit an RCE vulnerability in the com_mb24sysapi module, resulting in full system compromise. This vulnerability is a variant attack for CVE-2020-10383.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-23
Last Modified
2026-03-23
Generated
2026-06-16
AI Q&A
2026-03-23
EPSS Evaluated
2026-06-15
NVD
CVE-2026-32968
EUVD
EUVD-2026-14404
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
mb_connect_line mbconnect24 to 2.19.3 (inc)
mb_connect_line mymbconnect24 to 2.19.3 (inc)
mb_connect_line mbconnect24 2.19.4
mb_connect_line mymbconnect24 2.19.4
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

The recommended immediate step to mitigate this vulnerability is to update the affected devices to firmware version 2.19.4 or later.

This update addresses the Remote Code Execution vulnerability in the com_mb24sysapi module that allows unauthenticated remote attackers to execute arbitrary commands, leading to full system compromise.

Executive Summary

CVE-2026-32968 is a critical Remote Code Execution (RCE) vulnerability found in the com_mb24sysapi module of certain mbCONNECT24 and mymbCONNECT24 devices. It occurs because special elements used in operating system commands are not properly neutralized, allowing an unauthenticated remote attacker to execute arbitrary OS commands on the affected system.

This flaw leads to full system compromise, affecting the confidentiality, integrity, and availability of the device. It is a variant of a previously known vulnerability, CVE-2020-10383.

Impact Analysis

This vulnerability allows an unauthenticated remote attacker to execute arbitrary commands on the affected system, resulting in full system compromise.

  • Complete loss of confidentiality, as sensitive data can be accessed or leaked.
  • Complete loss of integrity, as the attacker can modify system files or data.
  • Complete loss of availability, as the attacker can disrupt or disable system operations.
Compliance Impact

I don't know

Detection Guidance

I don't know

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32968. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart