This vulnerability arises from improper neutralization of special elements in an SQL SELECT command within the getLiveValues function's 'sn' parameter in mbCONNECT24. Because the input is not properly sanitized, an unauthenticated remote attacker can inject malicious SQL commands, potentially leading to unauthorized data disclosure. The vulnerability is classified under CWE-89 (SQL Injection). The CVSS 4.0 vector indicates the attack requires no privileges, no user interaction, and can be performed remotely with low attack complexity, resulting in high confidentiality impact.

An attacker exploiting this vulnerability can achieve a total loss of confidentiality, meaning sensitive data accessible via the affected SQL query could be exposed. Since the attack requires no authentication and no user interaction, the risk of exploitation is significant. However, no known exploits have been reported in the wild so far.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider restricting access to the affected service and monitor for unusual activity related to the getLiveValues function. Avoid exposing the vulnerable interface to untrusted networks if possible.