This vulnerability (CVE-2026-40832) affects MB connect line's mbCONNECT24 product, specifically in the getDevicegroups function. It is caused by improper neutralization of special elements in an SQL SELECT command, resulting in an unauthenticated SQL Injection vulnerability. A remote attacker with low privileges can exploit this to access confidential data. The CVSS 4.0 base score is 7.1, indicating high severity, with attack vector network, low attack complexity, no privileges required, no user interaction, and high confidentiality impact. No patch or official remediation level has been published yet.

Exploitation of this vulnerability can lead to a total loss of confidentiality, meaning an attacker could access sensitive information stored in the database. Since the attack requires no authentication and can be performed remotely, the risk to affected systems is significant. There are no known exploits in the wild at this time.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official fix or temporary mitigation is currently available, users should monitor MB connect line communications for updates. Until a patch is released, consider restricting network access to the affected service and applying any recommended vendor workarounds once available.