CVE-2026-33613

HighRCE

Published: 02 April 2026

Published

02 April 2026

Modified

16 April 2026

KEV Added

—

Patch

—

CVSS Score 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0015 34.8th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-33613 is a high-severity OS Command Injection (CWE-78) vulnerability in Mbconnectline Mbconnect24. Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked at the 34.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation of Remote Services (T1210) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

SI-10 requires validation of information inputs to neutralize special elements, directly preventing OS command injection in the generateSrpArray function.

SI-2 Flaw Remediation good match

prevent

SI-2 mandates identification, reporting, and correction of flaws like CVE-2026-33613, enabling timely patching to eliminate the command injection vulnerability.

AC-6 Least Privilege partial match

prevent

AC-6 enforces least privilege, limiting high-privilege access required to exploit the vulnerability after arbitrary writes to the user table.

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.

attack.mitre.org →

T1059 Command and Scripting Interpreter Execution

Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.

attack.mitre.org →

Why these techniques?

OS command injection (CWE-78) in generateSrpArray enables remote exploitation of a service (T1210) for arbitrary OS command execution (T1059).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Due to the improper neutralisation of special elements used in an OS command, a remote attacker can exploit an RCE vulnerability in the generateSrpArray function, resulting in full system compromise. This vulnerability can only be attacked if the attacker has…

some other way to write arbitrary data to the user table.

Deeper analysisAI

CVE-2026-33613, published on 2026-04-02, is a remote code execution vulnerability stemming from improper neutralization of special elements used in an OS command within the generateSrpArray function. Classified under CWE-78 (OS Command Injection), it enables full system compromise. The vulnerability carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H), indicating network accessibility with low attack complexity but requiring high privileges.

Exploitation requires a remote attacker to first have an independent means of writing arbitrary data to the user table. With that prerequisite met and high privileges obtained, the attacker can leverage the unneutralized special elements to inject and execute arbitrary OS commands via the generateSrpArray function, achieving complete system compromise including high confidentiality, integrity, and availability impacts.

Advisories detailing mitigation, such as patches or workarounds, are available in CERT-VDE advisory VDE-2026-030 at https://certvde.com/de/advisories/VDE-2026-030 and the associated CSAF document at https://mbconnectline.csaf-tp.certvde.com/.well-known/csaf/white/2026/vde-2026-030.json.