Cyber Posture

CVE-2026-33614

High

Published: 02 April 2026

Published
02 April 2026
Modified
16 April 2026
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0005 16.1th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-33614 is a high-severity SQL Injection (CWE-89) vulnerability in Mbconnectline Mbconnect24. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 16.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly requires validation and neutralization of special elements in inputs to the getinfo endpoint SQL SELECT command, preventing SQL injection exploitation.

SI-2 Flaw Remediation good match
prevent

Provides for timely identification, reporting, and remediation of the specific SQL injection flaw via patching as detailed in related advisories.

SC-7 Boundary Protection partial match
preventdetect

Boundary protection at external interfaces can deploy web application firewalls to inspect traffic and block SQL injection patterns targeting the unauthenticated getinfo endpoint.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

Unauthenticated SQL injection in public-facing getinfo endpoint directly enables remote exploitation of public-facing applications (T1190) for unauthorized database data extraction.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getinfo endpoint due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.

Deeper analysisAI

CVE-2026-33614 is an unauthenticated SQL injection vulnerability (CWE-89) in the getinfo endpoint, stemming from improper neutralization of special elements used in a SQL SELECT command. Published on 2026-04-02, it carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high severity primarily due to its impact on confidentiality.

An unauthenticated remote attacker can exploit this vulnerability over the network with low attack complexity, requiring no privileges or user interaction. Successful exploitation enables a total loss of confidentiality, potentially allowing the attacker to extract sensitive data from the underlying database.

Advisories detailing mitigations and patches are available from CERT VDE under VDE-2026-030, accessible at https://certvde.com/de/advisories/VDE-2026-030 and as a CSAF document at https://mbconnectline.csaf-tp.certvde.com/.well-known/csaf/white/2026/vde-2026-030.json.

Details

CWE(s)
CWE-89

Affected Products

mbconnectline
mbconnect24
≤ 2.19.4
mbconnectline
mymbconnect24
≤ 2.19.4

CVEs Like This One

CVE-2026-33615Same product: Mbconnectline Mbconnect24
CVE-2026-33616Same product: Mbconnectline Mbconnect24
CVE-2026-33613Same product: Mbconnectline Mbconnect24
CVE-2026-3180Shared CWE-89
CVE-2025-1872Shared CWE-89
CVE-2026-32458Shared CWE-89
CVE-2026-24494Shared CWE-89
CVE-2025-26875Shared CWE-89
CVE-2026-26263Shared CWE-89
CVE-2026-30531Shared CWE-89

References