This vulnerability involves an unauthenticated SQL Injection in the _mb24confi_getDevice function of mbCONNECT24. Due to improper neutralization of special elements in a SQL SELECT command, an attacker can inject malicious SQL code remotely without authentication. This can compromise the confidentiality of the system's data. The CVSS 4.0 base score is 8.7, reflecting high severity with network attack vector, no required privileges or user interaction, and high impact on confidentiality. There is no vendor-provided patch or remediation level at this time, and the product is not a cloud service.

Successful exploitation results in a total loss of confidentiality, meaning sensitive data accessible via the SQL database can be exposed to an unauthenticated remote attacker. No integrity or availability impacts are indicated. There are no known exploits in the wild currently.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict network access to the affected mbCONNECT24 service to trusted users only and monitor for suspicious activity related to SQL injection attempts. Avoid exposing the vulnerable interface directly to untrusted networks.