This vulnerability involves an unauthenticated SQL Injection in the mbCONNECT24 product's getLiveValues function, specifically in the tagid parameter. The issue arises from improper neutralization of special elements in a SQL SELECT command, allowing attackers to manipulate the query. Because no authentication is required, remote attackers can exploit this flaw to access sensitive data, resulting in a total loss of confidentiality. The CVSS 4.0 score of 8.7 reflects the vulnerability's high impact and ease of exploitation. No patch or official remediation guidance is currently available, and no exploits have been observed in the wild.

An unauthenticated remote attacker can exploit this SQL Injection vulnerability to access or manipulate sensitive data within the affected system, leading to a total loss of confidentiality. This could compromise the integrity of the database and expose sensitive information without requiring any authentication.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, organizations should consider implementing network-level protections such as restricting access to the affected service and monitoring for suspicious activity related to the getLiveValues function. Avoid exposing the vulnerable interface to untrusted networks. Follow up with MB connect line for updates on patches or official mitigations.