CVE-2026-33613

High

Published: 02 April 2026

Published

02 April 2026

Modified

16 April 2026

KEV Added

—

Patch

—

CVSS Score 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0015 34.8th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Description

Due to the improper neutralisation of special elements used in an OS command, a remote attacker can exploit an RCE vulnerability in the generateSrpArray function, resulting in full system compromise. This vulnerability can only be attacked if the attacker has…

some other way to write arbitrary data to the user table.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

SI-10 requires validation of information inputs to neutralize special elements, directly preventing OS command injection in the generateSrpArray function.

SI-2 Flaw Remediation good match

prevent

SI-2 mandates identification, reporting, and correction of flaws like CVE-2026-33613, enabling timely patching to eliminate the command injection vulnerability.

AC-6 Least Privilege partial match

prevent

AC-6 enforces least privilege, limiting high-privilege access required to exploit the vulnerability after arbitrary writes to the user table.

Security SummaryAI

CVE-2026-33613, published on 2026-04-02, is a remote code execution vulnerability stemming from improper neutralization of special elements used in an OS command within the generateSrpArray function. Classified under CWE-78 (OS Command Injection), it enables full system compromise. The vulnerability carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H), indicating network accessibility with low attack complexity but requiring high privileges.

Exploitation requires a remote attacker to first have an independent means of writing arbitrary data to the user table. With that prerequisite met and high privileges obtained, the attacker can leverage the unneutralized special elements to inject and execute arbitrary OS commands via the generateSrpArray function, achieving complete system compromise including high confidentiality, integrity, and availability impacts.

Advisories detailing mitigation, such as patches or workarounds, are available in CERT-VDE advisory VDE-2026-030 at https://certvde.com/de/advisories/VDE-2026-030 and the associated CSAF document at https://mbconnectline.csaf-tp.certvde.com/.well-known/csaf/white/2026/vde-2026-030.json.

Details

CWE(s): CWE-78

Affected Products

mbconnectline

mbconnect24

≤ 2.19.4

mbconnectline

mymbconnect24

≤ 2.19.4

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.

attack.mitre.org →

T1059 Command and Scripting Interpreter Execution

Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.

attack.mitre.org →

Why these techniques?

OS command injection (CWE-78) in generateSrpArray enables remote exploitation of a service (T1210) for arbitrary OS command execution (T1059).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://certvde.com/de/advisories/VDE-2026-030
Third Party Advisory · info@cert.vde.com
https://mbconnectline.csaf-tp.certvde.com/.well-known/csaf/white/2026/vde-2026-030.json
Vendor Advisory · info@cert.vde.com