This vulnerability arises from improper neutralization of special elements in an SQL SELECT command within the getAlarmProfiles function of mbCONNECT24. An unauthenticated remote attacker can leverage this SQL Injection flaw to access or manipulate sensitive data, resulting in a complete confidentiality breach. The CVSS 4.0 base score is 8.7, reflecting high severity with network attack vector, no required privileges or user interaction, and high confidentiality impact. No patch or official remediation level has been published by the vendor, and the product is not a cloud service, so remediation must be managed by the user or vendor updates.

Successful exploitation can lead to total loss of confidentiality of data managed by mbCONNECT24. Since the attacker requires no authentication, the risk of unauthorized data disclosure is significant. There is no indication of integrity or availability impact. No known exploits in the wild have been reported to date.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official fix or workaround is currently documented, users should monitor vendor communications closely for updates. Until a patch is available, restricting network access to the affected service and employing network-level protections may reduce exposure.