{ "document": { "acknowledgments": [ { "organization": "CERT@VDE", "summary": "coordination", "urls": [ "https://certvde.com" ] }, { "names": [ "Adrien Rey" ], "organization": "Cyber Defense Campus Zurich", "summary": "reporting", "urls": [ "https://www.cydcampus.admin.ch" ] }, { "names": [ "Daniel Hulliger" ], "organization": "Armasuisse", "summary": "reporting", "urls": [ "https://www.ar.admin.ch" ] } ], "aggregate_severity": { "namespace": "https://www.first.org/cvss/v3.1/specification-document#Qualitative-Severity-Rating-Scale", "text": "Critical" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en-GB", "notes": [ { "category": "summary", "text": "The MBS Universal Gateways (UGW-A-Series, UGW-X-Series) connect devices using various digital communication protocols within the field of building automation. Several security vulnerabilities have been identified in the UGW web GUI and the underlying firmware, affecting version V6_0_0_5 and earlier.\n\nAmong other things, several CGI methods are affected by insufficient input validation and a lack of bounds checking. These flaws allow authorized attackers to perform arbitrary file deletion, include local files, or terminate system processes. Furthermore, multiple stack-based buffer overflows were discovered that can be exploited to execute arbitrary code with root privileges, leading to a full system compromise. Additionally, the firmware contains a hardcoded default password for a service account, which significantly lowers the barrier for unauthorized access.", "title": "Summary" }, { "category": "description", "text": "Exploitation of these vulnerabilities may allow an authenticated attacker to read or delete arbitrary local files on the affected UGW devices, terminate system processes, or gain unauthorized access through a known service account password. Most significantly, stack-based buffer overflows in several CGI endpoints can be leveraged to execute arbitrary code with root privileges, potentially resulting in a full system compromise. In addition, these flaws can be abused to cause a denial of service or to access confidential configuration data.", "title": "Impact" }, { "category": "description", "text": "Update the affected products to firmware version V6_0_0_7.\n\nThese are available at https://en.mbs-solutions.de/firmwareupdate", "title": "Remediation" } ], "publisher": { "category": "vendor", "contact_details": "psirt@mbs-solutions.de", "name": "MBS GmbH", "namespace": "https://www.mbs-solutions.de" }, "references": [ { "category": "external", "summary": "CERT@VDE Security Advisories for MBS GmbH", "url": "https://www.certvde.com/en/advisories/vendor/mbs" }, { "category": "self", "summary": "VDE-2026-039: MBS: Several security vulnerabilities in the UGW web GUI - HTML", "url": "https://www.certvde.com/en/advisories/VDE-2026-039/" }, { "category": "self", "summary": "VDE-2026-039: MBS: Several security vulnerabilities in the UGW web GUI - CSAF", "url": "https://mbs.csaf-tp.certvde.com/.well-known/csaf/white/2026/vde-2026-039.json" } ], "title": "MBS: Several security vulnerabilities in the UGW web GUI", "tracking": { "aliases": [ "VDE-2026-039" ], "current_release_date": "2026-06-03T13:00:00.000Z", "generator": { "date": "2026-06-03T13:00:00.000Z", "engine": { "name": "Secvisogram", "version": "2.5.44" } }, "id": "VDE-2026-039", "initial_release_date": "2026-06-03T13:00:00.000Z", "revision_history": [ { "date": "2026-06-03T13:00:00.000Z", "number": "1.0.0", "summary": "Initial revision." } ], "status": "final", "version": "1.0.0" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Single-A", "product": { "name": "MBS GmbH Hardware UGW-A-Series Single-A", "product_id": "CSAFPID-11001", "product_identification_helper": { "cpe": "cpe:2.3:h:mbs:single_a:*:*:*:*:*:*:*:*" } } }, { "category": "product_name", "name": "Double-A Profibus", "product": { "name": "MBS GmbH Hardware UGW-A-Series Double-A Profibus", "product_id": "CSAFPID-11002", "product_identification_helper": { "cpe": "cpe:2.3:h:mbs:double_a_profibus:*:*:*:*:*:*:*:*" } } }, { "category": "product_name", "name": "Double-A x-link", "product": { "name": "MBS GmbH Hardware UGW-A-Series Double-A x-link", "product_id": "CSAFPID-11003", "product_identification_helper": { "cpe": "cpe:2.3:h:mbs:double_a_x_link:*:*:*:*:*:*:*:*" } } } ], "category": "product_family", "name": "UGW-A-Series" }, { "branches": [ { "category": "product_name", "name": "Single-X", "product": { "name": "MBS GmbH Hardware UGW-X-Series Single-X", "product_id": "CSAFPID-11004", "product_identification_helper": { "cpe": "cpe:2.3:h:mbs:single_x:*:*:*:*:*:*:*:*" } } }, { "category": "product_name", "name": "Double-X CAN", "product": { "name": "MBS GmbH Hardware UGW-X-Series Double-X CAN", "product_id": "CSAFPID-11005", "product_identification_helper": { "cpe": "cpe:2.3:h:mbs:double_x_can:*:*:*:*:*:*:*:*" } } }, { "category": "product_name", "name": "Double-X DALI", "product": { "name": "MBS GmbH Hardware UGW-X-Series Double-X DALI", "product_id": "CSAFPID-11006", "product_identification_helper": { "cpe": "cpe:2.3:h:mbs:double_x_dali:*:*:*:*:*:*:*:*" } } }, { "category": "product_name", "name": "Double-X KNX", "product": { "name": "MBS GmbH Hardware UGW-X-Series Double-X KNX", "product_id": "CSAFPID-11007", "product_identification_helper": { "cpe": "cpe:2.3:h:mbs:double_x_knx:*:*:*:*:*:*:*:*" } } }, { "category": "product_name", "name": "Double-X LON", "product": { "name": "MBS GmbH Hardware UGW-X-Series Double-X LON", "product_id": "CSAFPID-11008", "product_identification_helper": { "cpe": "cpe:2.3:h:mbs:double_x_lon:*:*:*:*:*:*:*:*" } } }, { "category": "product_name", "name": "Double-X M-Bus", "product": { "name": "MBS GmbH Hardware UGW-X-Series Double-X M-Bus", "product_id": "CSAFPID-11009", "product_identification_helper": { "cpe": "cpe:2.3:h:mbs:double_x_m_bus:*:*:*:*:*:*:*:*" } } }, { "category": "product_name", "name": "Double-X PROFINET", "product": { "name": "MBS GmbH Hardware UGW-X-Series Double-X PROFINET", "product_id": "CSAFPID-11010", "product_identification_helper": { "cpe": "cpe:2.3:h:mbs:double_x_profinet:*:*:*:*:*:*:*:*" } } }, { "category": "product_name", "name": "Double-X x-link", "product": { "name": "MBS GmbH Hardware UGW-X-Series Double-X x-link", "product_id": "CSAFPID-11011", "product_identification_helper": { "cpe": "cpe:2.3:h:mbs:double_x_x_link:*:*:*:*:*:*:*:*" } } }, { "category": "product_name", "name": "Triple-X KNX+DALI", "product": { "name": "MBS GmbH Hardware UGW-X-Series Triple-X KNX+DALI", "product_id": "CSAFPID-11012", "product_identification_helper": { "cpe": "cpe:2.3:h:mbs:triple_x_knx_dali:*:*:*:*:*:*:*:*" } } }, { "category": "product_name", "name": "Triple-X KNX+LON", "product": { "name": "MBS GmbH Hardware UGW-X-Series Triple-X KNX+LON", "product_id": "CSAFPID-11013", "product_identification_helper": { "cpe": "cpe:2.3:h:mbs:triple_x_knx_lon:*:*:*:*:*:*:*:*" } } }, { "category": "product_name", "name": "Triple-X KNX+M-Bus", "product": { "name": "MBS GmbH Hardware UGW-X-Series Triple-X KNX+M-Bus", "product_id": "CSAFPID-11014", "product_identification_helper": { "cpe": "cpe:2.3:h:mbs:triple_x_knx_m_bus:*:*:*:*:*:*:*:*" } } }, { "category": "product_name", "name": "Triple-X PROFINET+DALI", "product": { "name": "MBS GmbH Hardware UGW-X-Series Triple-X PROFINET+DALI", "product_id": "CSAFPID-11015", "product_identification_helper": { "cpe": "cpe:2.3:h:mbs:triple_x_profinet_dali:*:*:*:*:*:*:*:*" } } }, { "category": "product_name", "name": "Triple-X PROFINET+KNX", "product": { "name": "MBS GmbH Hardware UGW-X-Series Triple-X PROFINET+KNX", "product_id": "CSAFPID-11016", "product_identification_helper": { "cpe": "cpe:2.3:h:mbs:triple_x_profinet_knx:*:*:*:*:*:*:*:*" } } }, { "category": "product_name", "name": "Triple-X PROFINET+LON", "product": { "name": "MBS GmbH Hardware UGW-X-Series Triple-X PROFINET+LON", "product_id": "CSAFPID-11017", "product_identification_helper": { "cpe": "cpe:2.3:h:mbs:triple_x_profinet_lon:*:*:*:*:*:*:*:*" } } }, { "category": "product_name", "name": "Triple-X PROFINET+M-Bus", "product": { "name": "MBS GmbH Hardware UGW-X-Series Triple-X PROFINET+M-Bus", "product_id": "CSAFPID-11018", "product_identification_helper": { "cpe": "cpe:2.3:h:mbs:triple_x_profinet_m_bus:*:*:*:*:*:*:*:*" } } } ], "category": "product_family", "name": "UGW-X-Series" } ], "category": "product_family", "name": "Hardware" }, { "branches": [ { "category": "product_version_range", "name": "vers:generic/>=V1_0_0_0|