This vulnerability is an unauthenticated SQL Injection (CWE-89) in mbCONNECT24's dataapi.php file within the _mb24confi_getTagAlarm function. Improper neutralization of special elements in a SQL SELECT command allows remote attackers to inject malicious SQL code. The flaw enables attackers to bypass authentication and potentially access or manipulate sensitive data, resulting in a total loss of confidentiality. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges or user interaction needed, and high confidentiality impact. No patch or official remediation guidance is currently available from the vendor.

Successful exploitation can lead to a total loss of confidentiality, meaning attackers may access sensitive information stored in the backend database without authentication. This could compromise the integrity and privacy of data managed by mbCONNECT24. No known exploits in the wild have been reported so far.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider restricting network access to the affected service and monitor for suspicious activity related to SQL injection attempts. Avoid exposing the vulnerable endpoint to untrusted networks. No official patch or temporary fix has been provided by the vendor as of now.