{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-33613","assignerOrgId":"270ccfa6-a436-4e77-922e-914ec3a9685c","state":"PUBLISHED","assignerShortName":"CERTVDE","dateReserved":"2026-03-23T13:15:49.381Z","datePublished":"2026-04-02T08:59:34.008Z","dateUpdated":"2026-04-02T13:42:38.209Z"},"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"mbCONNECT24","vendor":"MB connect line","versions":[{"lessThanOrEqual":"2.19.4","status":"affected","version":"0.0.0","versionType":"semver"}]},{"defaultStatus":"unaffected","product":"mymbCONNECT24","vendor":"MB connect line","versions":[{"lessThanOrEqual":"2.19.4","status":"affected","version":"0.0.0","versionType":"semver"}]}],"credits":[{"lang":"en","type":"finder","user":"00000000-0000-4000-9000-000000000000","value":"Moritz Abrell, Christian Zäske from SySS GmbH"}],"datePublic":"2026-04-02T09:00:00.000Z","descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"Due to the improper neutralisation of special elements used in an OS command, a remote attacker can exploit an RCE vulnerability in the generateSrpArray function, resulting in full system compromise.<br>This vulnerability can only be attacked if the attacker has some other way to write arbitrary data to the user table.<br>"}],"value":"Due to the improper neutralisation of special elements used in an OS command, a remote attacker can exploit an RCE vulnerability in the generateSrpArray function, resulting in full system compromise.\nThis vulnerability can only be attacked if the attacker has some other way to write arbitrary data to the user table."}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.2,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"HIGH","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-78","description":"CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"270ccfa6-a436-4e77-922e-914ec3a9685c","shortName":"CERTVDE","dateUpdated":"2026-04-02T08:59:34.008Z"},"references":[{"tags":["vendor-advisory"],"url":"https://certvde.com/de/advisories/VDE-2026-030"},{"tags":["vendor-advisory"],"url":"https://mbconnectline.csaf-tp.certvde.com/.well-known/csaf/white/2026/vde-2026-030.json"}],"source":{"advisory":"VDE-2026-030","defect":["CERT@VDE#641994"],"discovery":"EXTERNAL"},"title":"MB connect line mbCONNECT24 vulnerable to RCE in generateSrpArray","x_generator":{"engine":"Vulnogram 0.1.0-dev"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-04-02T13:41:33.794559Z","id":"CVE-2026-33613","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-04-02T13:42:38.209Z"}}]}}