CVE-2026-32968
Published: 23 March 2026
Description
Due to the improper neutralisation of special elements used in an OS command, an unauthenticated remote attacker can exploit an RCE vulnerability in the com_mb24sysapi module, resulting in full system compromise. This vulnerability is a variant attack for CVE-2020-10383.
Mitigating Controls (NIST 800-53 r5)AI
SI-2 directly remediates the specific RCE flaw in the com_mb24sysapi module caused by improper OS command neutralization, preventing exploitation.
SI-10 enforces information input validation at interfaces, directly countering the CWE-78 improper neutralization of special elements used in OS commands.
SC-7 monitors and controls external communications, mitigating remote unauthenticated exploitation attempts over the network.
Security SummaryAI
CVE-2026-32968 is a remote code execution (RCE) vulnerability caused by improper neutralization of special elements used in an OS command (CWE-78) within the com_mb24sysapi module. Published on 2026-03-23, it has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical due to its potential for severe impact.
An unauthenticated remote attacker can exploit this vulnerability over the network with low complexity and no user interaction or privileges required. Successful exploitation results in full system compromise, granting high levels of confidentiality, integrity, and availability impacts.
Advisories from CERT VDE provide further details on the vulnerability at https://certvde.com/de/advisories/VDE-2026-024 and https://certvde.com/de/advisories/VDE-2026-025.
This issue is described as a variant attack for CVE-2020-10383.
Details
- CWE(s)
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2026-32968 is an unauthenticated remote code execution vulnerability in a public-facing web application module via OS command injection (CWE-78), directly enabling exploitation of public-facing applications.