An unauthenticated SQL Injection vulnerability (CWE-89) exists in the _mb24api_getUserAccount function of the mbCONNECT24 product by MB connect line. The issue arises from improper neutralization of special elements in a SQL SELECT command, enabling remote attackers to execute arbitrary SQL commands without authentication. The CVSS 4.0 base score is 8.7, indicating high severity with network attack vector, low attack complexity, no privileges or user interaction required, and high confidentiality impact. No official patch or vendor advisory is currently available to confirm remediation status.

Successful exploitation of this vulnerability can result in a total loss of confidentiality, allowing attackers to access sensitive data stored in the backend database without authentication. This could compromise user accounts and other confidential information managed by mbCONNECT24. No known exploits in the wild have been reported to date.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, consider restricting network access to the affected service to trusted users only and monitor for unusual activity related to SQL queries targeting the _mb24api_getUserAccount function. Avoid exposing the vulnerable interface to untrusted networks.