MB connect line mbCONNECT24, mymbCONNECT24

Plan Patch7.8ICS-CERT ICSA-21-061-03Mar 2, 2021

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

MB connect line's mbCONNECT24 and mymbCONNECT24 remote access gateways contain multiple vulnerabilities including weak authentication (CWE-798 hardcoded credentials), injection flaws (CWE-79 XSS, CWE-918 SSRF), insufficient access controls (CWE-269), resource exhaustion (CWE-400), and information disclosure (CWE-200, CWE-522). Successful exploitation could allow unauthorized access to sensitive information or remote code execution on the gateway. The devices are used to provide remote access to industrial control systems and connected equipment. mymbCONNECT24 version 2.6.1 and earlier are vulnerable. MB connect line recommends updating to Version 2.71 or higher, though a future release will be needed to fully address CVE-2020-35567, CVE-2020-35565, and CVE-2020-35561.

What this means

What could happen

An attacker with local access or remote network access could execute arbitrary code on the mbCONNECT24 or mymbCONNECT24 gateway, potentially allowing them to alter device configurations, intercept traffic to connected PLCs, or disrupt remote access for operators.

Who's at risk

Water authorities and utilities using MB connect line's mbCONNECT24 or mymbCONNECT24 remote access gateways are affected. These devices are commonly used to provide secure remote access to PLCs and HMIs at pump stations, treatment plants, and distribution systems. Organizations with industrial equipment requiring remote support or monitoring should assess exposure.

How it could be exploited

An attacker could exploit multiple weaknesses to gain unauthorized access: weak authentication mechanisms (CWE-798 default/hardcoded credentials) could allow initial login, followed by injection attacks (CWE-79 XSS, CWE-918 SSRF) or privilege escalation (CWE-269) to execute code. Remote access is possible if the device is exposed on the network or Internet.

Prerequisites

Network access to the mbCONNECT24 or mymbCONNECT24 web interface (port 443 or 80)
User credentials or ability to exploit default/weak credentials
Device running vulnerable version 2.6.1 or earlier (mymbCONNECT24)
Device not behind adequate firewall protection

Multiple vulnerabilities in single productRemote code execution possibleAuthentication/credential weaknessesLow CVSS score but multiple CWEs indicate complex attack surfaceNo patch available yet for some vulnerabilities

Exploitability

Low exploit probability (EPSS 0.8%)

Affected products (1)

ProductAffected VersionsFix Status

mymbCONNECT24: v2.6.1 and prior≤ 2.6.12.71

Remediation & Mitigation

0/6

Do now

0/3

WORKAROUNDActivate bruteforce detection via Security → Fail2Ban → WebLogin (CVE-2020-35565)

HARDENINGBlock vulnerable open ports on the LAN side using a firewall (CVE-2020-35561)

HARDENINGRestrict network access to mbCONNECT24/mymbCONNECT24 devices; do not expose to the Internet

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate mymbCONNECT24 and mbCONNECT24 to Version 2.71 or higher

Long-term hardening

0/2

HARDENINGIsolate the device and its connected PLCs from the business network using a firewall

HARDENINGIf remote access is required, use a VPN with current patches and strong authentication

CVEs (18)

CVE-2020-12527 CVE-2020-12528 CVE-2020-12529 CVE-2020-12530 CVE-2020-35557 CVE-2020-35558 CVE-2020-35559 CVE-2020-35560 CVE-2020-35561 CVE-2020-35563 CVE-2020-35564 CVE-2020-35565 CVE-2020-35566 CVE-2020-35567 CVE-2020-35568 CVE-2020-35569 CVE-2020-35570 CVE-2020-10384

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/802d2daf-7d90-4290-810d-706b246076c3