An unauthenticated SQL Injection vulnerability exists in the mb24alarm.php file of the mbCONNECT24 product by MB connect line. The issue is in the _mb24confi_getTagAlarm function, where special elements in a SQL SELECT command are not properly neutralized, enabling remote attackers to inject SQL code without authentication. The CVSS 4.0 base score is 8.7, indicating high severity with network attack vector, no required privileges or user interaction, and high impact on confidentiality. No patch or official fix has been disclosed, and the vulnerability is publicly known as of May 27, 2026.

Successful exploitation of this vulnerability allows unauthenticated remote attackers to perform SQL Injection attacks, potentially leading to complete disclosure of sensitive data managed by the mbCONNECT24 system. This results in a total loss of confidentiality. There is no indication of impact on integrity or availability. No known exploits are currently reported in the wild.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict network access to the affected mbCONNECT24 service to trusted users only and monitor for unusual database query activity. Avoid exposing the vulnerable interface to untrusted networks. Follow up with MB connect line for updates on patches or official mitigations.