CVE-2026-35075 - Vulnerability Details

- Hardcoded default Password for Service Account

Description

An unauthenticated remote attacker can recover a default, hard coded password from a firmware image and thus gain full access to all affected devices.

Published: 2026-06-03

Score: 9.3 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Analysis and contextual insights are available on OpenCVE Cloud.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

MBS

Single-A

unaffected

Version	Status	Constraints
`V1_0_0_0`	affected	< V6_0_0_7

MBS

Double-A Profibus

unaffected

Version	Status	Constraints
`V1_0_0_0`	affected	< V6_0_0_7

MBS

Double-A x-link

unaffected

Version	Status	Constraints
`V1_0_0_0`	affected	< V6_0_0_7

MBS

Single-X

unaffected

Version	Status	Constraints
`V1_0_0_0`	affected	< V6_0_0_7

MBS

Double-X CAN

unaffected

Version	Status	Constraints
`V1_0_0_0`	affected	< V6_0_0_7

MBS

Double-X DALI

unaffected

Version	Status	Constraints
`V1_0_0_0`	affected	< V6_0_0_7

MBS

Double-X KNX

unaffected

Version	Status	Constraints
`V1_0_0_0`	affected	< V6_0_0_7

MBS

Double-X LON

unaffected

Version	Status	Constraints
`V1_0_0_0`	affected	< V6_0_0_7

MBS

Double-X M-Bus

unaffected

Version	Status	Constraints
`V1_0_0_0`	affected	< V6_0_0_7

MBS

Double-X PROFINET

unaffected

Version	Status	Constraints
`V1_0_0_0`	affected	< V6_0_0_7

MBS

Double-X x-link

unaffected

Version	Status	Constraints
`V1_0_0_0`	affected	< V6_0_0_7

MBS

Triple-X KNX+DALI

unaffected

Version	Status	Constraints
`V1_0_0_0`	affected	< V6_0_0_7

MBS

Triple-X KNX+LON

unaffected

Version	Status	Constraints
`V1_0_0_0`	affected	< V6_0_0_7

MBS

Triple-X KNX+M-Bus

unaffected

Version	Status	Constraints
`V1_0_0_0`	affected	< V6_0_0_7

MBS

Triple-X PROFINET+DALI

unaffected

Version	Status	Constraints
`V1_0_0_0`	affected	< V6_0_0_7

MBS

Triple-X PROFINET+KNX

unaffected

Version	Status	Constraints
`V1_0_0_0`	affected	< V6_0_0_7

MBS

Triple-X PROFINET+LON

unaffected

Version	Status	Constraints
`V1_0_0_0`	affected	< V6_0_0_7

MBS

Triple-X PROFINET+M-Bus

unaffected

Version	Status	Constraints
`V1_0_0_0`	affected	< V6_0_0_7

Configuration 1 [-]

AND

cpe:2.3:o:mbs-solutions:universal_gateway_firmware:*:*:*:*:*:*:*:*

OR	cpe:2.3:h:mbs-solutions:double-a_profibus:-:::::::*
	cpe:2.3:h:mbs-solutions:double-a_x-link:-:::::::*
	cpe:2.3:h:mbs-solutions:double-x_can:-:::::::*
	cpe:2.3:h:mbs-solutions:double-x_dali:-:::::::*
	cpe:2.3:h:mbs-solutions:double-x_knx:-:::::::*
	cpe:2.3:h:mbs-solutions:double-x_lon:-:::::::*
	cpe:2.3:h:mbs-solutions:double-x_m-bus:-:::::::*
	cpe:2.3:h:mbs-solutions:double-x_profinet:-:::::::*
	cpe:2.3:h:mbs-solutions:double-x_x-link:-:::::::*
	cpe:2.3:h:mbs-solutions:single-a:-:::::::*
	cpe:2.3:h:mbs-solutions:single-x:-:::::::*
	cpe:2.3:h:mbs-solutions:triple-x_knx\+dali:-:::::::*
	cpe:2.3:h:mbs-solutions:triple-x_knx\+lon:-:::::::*
	cpe:2.3:h:mbs-solutions:triple-x_knx\+m-bus:-:::::::*
	cpe:2.3:h:mbs-solutions:triple-x_profinet\+dali:-:::::::*
	cpe:2.3:h:mbs-solutions:triple-x_profinet\+knx:-:::::::*
	cpe:2.3:h:mbs-solutions:triple-x_profinet\+lon:-:::::::*
	cpe:2.3:h:mbs-solutions:triple-x_profinet\+m-bus:-:::::::*

No data.

Vendor Product Confidence Versions

Mbs

Double A Profibus Firmware

82%

Version	Status	Scheme	Platform
`[V1_0_0_0,V6_0_0_7)`	affected	generic	—

Mbs

Double A X Link Firmware

81%

Version	Status	Scheme	Platform
`[V1_0_0_0,V6_0_0_7)`	affected	generic	—

Mbs

Double X Can Firmware

100%

Version	Status	Scheme	Platform
`[V1_0_0_0,V6_0_0_7)`	affected	generic	—

Mbs

Double X Dali Firmware

100%

Version	Status	Scheme	Platform
`[V1_0_0_0,V6_0_0_7)`	affected	generic	—

Mbs

Double X Knx Firmware

100%

Version	Status	Scheme	Platform
`[V1_0_0_0,V6_0_0_7)`	affected	generic	—

Mbs

Double X Lon Firmware

100%

Version	Status	Scheme	Platform
`[V1_0_0_0,V6_0_0_7)`	affected	generic	—

Mbs

Double X M Bus Firmware

80%

Version	Status	Scheme	Platform
`[V1_0_0_0,V6_0_0_7)`	affected	generic	—

Mbs

Double X Profinet Firmware

82%

Version	Status	Scheme	Platform
`[V1_0_0_0,V6_0_0_7)`	affected	generic	—

Mbs

Double X X Link Firmware

81%

Version	Status	Scheme	Platform
`[V1_0_0_0,V6_0_0_7)`	affected	generic	—

Mbs

Single A Firmware

100%

Version	Status	Scheme	Platform
`[V1_0_0_0,V6_0_0_7)`	affected	generic	—

Mbs

Single X Firmware

100%

Version	Status	Scheme	Platform
`[V1_0_0_0,V6_0_0_7)`	affected	generic	—

Mbs

Triple X Knx Dali Firmware

82%

Version	Status	Scheme	Platform
`[V1_0_0_0,V6_0_0_7)`	affected	generic	—

Mbs

Triple X Knx Lon Firmware

82%

Version	Status	Scheme	Platform
`[V1_0_0_0,V6_0_0_7)`	affected	generic	—

Mbs

Triple X Knx M Bus Firmware

83%

Version	Status	Scheme	Platform
`[V1_0_0_0,V6_0_0_7)`	affected	generic	—

Mbs

Triple X Profinet Dali Firmware

85%

Version	Status	Scheme	Platform
`[V1_0_0_0,V6_0_0_7)`	affected	generic	—

Mbs

Triple X Profinet Knx Firmware

85%

Version	Status	Scheme	Platform
`[V1_0_0_0,V6_0_0_7)`	affected	generic	—

Mbs

Triple X Profinet Lon Firmware

85%

Version	Status	Scheme	Platform
`[V1_0_0_0,V6_0_0_7)`	affected	generic	—

Mbs

Triple X Profinet M Bus Firmware

86%

Version	Status	Scheme	Platform
`[V1_0_0_0,V6_0_0_7)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

Additional remediation guidance may be available on OpenCVE Cloud.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00466.

Exploitation none

Automatable yes

Technical Impact total

References

Link	Providers
https://www.certvde.com/en/advisories/VDE-2026-039/

History

Mon, 08 Jun 2026 17:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mbs-solutions Mbs-solutions double-a Profibus Mbs-solutions double-a X-link Mbs-solutions double-x Can Mbs-solutions double-x Dali Mbs-solutions double-x Knx Mbs-solutions double-x Lon Mbs-solutions double-x M-bus Mbs-solutions double-x Profinet Mbs-solutions double-x X-link Mbs-solutions single-a Mbs-solutions single-x Mbs-solutions triple-x Knx\+dali Mbs-solutions triple-x Knx\+lon Mbs-solutions triple-x Knx\+m-bus Mbs-solutions triple-x Profinet\+dali Mbs-solutions triple-x Profinet\+knx Mbs-solutions triple-x Profinet\+lon Mbs-solutions triple-x Profinet\+m-bus Mbs-solutions universal Gateway Firmware
CPEs		cpe:2.3:h:mbs-solutions:double-a_profibus:-:::::::* cpe:2.3:h:mbs-solutions:double-a_x-link:-:::::::* cpe:2.3:h:mbs-solutions:double-x_can:-:::::::* cpe:2.3:h:mbs-solutions:double-x_dali:-:::::::* cpe:2.3:h:mbs-solutions:double-x_knx:-:::::::* cpe:2.3:h:mbs-solutions:double-x_lon:-:::::::* cpe:2.3:h:mbs-solutions:double-x_m-bus:-:::::::* cpe:2.3:h:mbs-solutions:double-x_profinet:-:::::::* cpe:2.3:h:mbs-solutions:double-x_x-link:-:::::::* cpe:2.3:h:mbs-solutions:single-a:-:::::::* cpe:2.3:h:mbs-solutions:single-x:-:::::::* cpe:2.3:h:mbs-solutions:triple-x_knx\+dali:-:::::::* cpe:2.3:h:mbs-solutions:triple-x_knx\+lon:-:::::::* cpe:2.3:h:mbs-solutions:triple-x_knx\+m-bus:-:::::::* cpe:2.3:h:mbs-solutions:triple-x_profinet\+dali:-:::::::* cpe:2.3:h:mbs-solutions:triple-x_profinet\+knx:-:::::::* cpe:2.3:h:mbs-solutions:triple-x_profinet\+lon:-:::::::* cpe:2.3:h:mbs-solutions:triple-x_profinet\+m-bus:-:::::::* cpe:2.3:o:mbs-solutions:universal_gateway_firmware::::::::
Vendors & Products		Mbs-solutions Mbs-solutions double-a Profibus Mbs-solutions double-a X-link Mbs-solutions double-x Can Mbs-solutions double-x Dali Mbs-solutions double-x Knx Mbs-solutions double-x Lon Mbs-solutions double-x M-bus Mbs-solutions double-x Profinet Mbs-solutions double-x X-link Mbs-solutions single-a Mbs-solutions single-x Mbs-solutions triple-x Knx\+dali Mbs-solutions triple-x Knx\+lon Mbs-solutions triple-x Knx\+m-bus Mbs-solutions triple-x Profinet\+dali Mbs-solutions triple-x Profinet\+knx Mbs-solutions triple-x Profinet\+lon Mbs-solutions triple-x Profinet\+m-bus Mbs-solutions universal Gateway Firmware

Wed, 03 Jun 2026 15:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Wed, 03 Jun 2026 12:30:00 +0000

Type	Values Removed	Values Added
Description		An unauthenticated remote attacker can recover a default, hard coded password from a firmware image and thus gain full access to all affected devices.
Title		Hardcoded default Password for Service Account
First Time appeared		Mbs Mbs double A Profibus Firmware Mbs double A X Link Firmware Mbs double X Can Firmware Mbs double X Dali Firmware Mbs double X Knx Firmware Mbs double X Lon Firmware Mbs double X M Bus Firmware Mbs double X Profinet Firmware Mbs double X X Link Firmware Mbs single A Firmware Mbs single X Firmware Mbs triple X Knx Dali Firmware Mbs triple X Knx Lon Firmware Mbs triple X Knx M Bus Firmware Mbs triple X Profinet Dali Firmware Mbs triple X Profinet Knx Firmware Mbs triple X Profinet Lon Firmware Mbs triple X Profinet M Bus Firmware
Weaknesses		CWE-1393
CPEs		cpe:2.3:o:mbs:double_a_profibus_firmware:::::::: cpe:2.3:o:mbs:double_a_x_link_firmware:::::::: cpe:2.3:o:mbs:double_x_can_firmware:::::::: cpe:2.3:o:mbs:double_x_dali_firmware:::::::: cpe:2.3:o:mbs:double_x_knx_firmware:::::::: cpe:2.3:o:mbs:double_x_lon_firmware:::::::: cpe:2.3:o:mbs:double_x_m_bus_firmware:::::::: cpe:2.3:o:mbs:double_x_profinet_firmware:::::::: cpe:2.3:o:mbs:double_x_x_link_firmware:::::::: cpe:2.3:o:mbs:single_a_firmware:::::::: cpe:2.3:o:mbs:single_x_firmware:::::::: cpe:2.3:o:mbs:triple_x_knx_dali_firmware:::::::: cpe:2.3:o:mbs:triple_x_knx_lon_firmware:::::::: cpe:2.3:o:mbs:triple_x_knx_m_bus_firmware:::::::: cpe:2.3:o:mbs:triple_x_profinet_dali_firmware:::::::: cpe:2.3:o:mbs:triple_x_profinet_knx_firmware:::::::: cpe:2.3:o:mbs:triple_x_profinet_lon_firmware:::::::: cpe:2.3:o:mbs:triple_x_profinet_m_bus_firmware::::::::
Vendors & Products		Mbs Mbs double A Profibus Firmware Mbs double A X Link Firmware Mbs double X Can Firmware Mbs double X Dali Firmware Mbs double X Knx Firmware Mbs double X Lon Firmware Mbs double X M Bus Firmware Mbs double X Profinet Firmware Mbs double X X Link Firmware Mbs single A Firmware Mbs single X Firmware Mbs triple X Knx Dali Firmware Mbs triple X Knx Lon Firmware Mbs triple X Knx M Bus Firmware Mbs triple X Profinet Dali Firmware Mbs triple X Profinet Knx Firmware Mbs triple X Profinet Lon Firmware Mbs triple X Profinet M Bus Firmware
References		https://www.certvde.com/en/advisories/VDE-2026-039/
Metrics		cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}` cvssV4_0 `{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}`

Subscriptions

Mbs Double A Profibus Firmware Double A X Link Firmware Double X Can Firmware Double X Dali Firmware Double X Knx Firmware Double X Lon Firmware Double X M Bus Firmware Double X Profinet Firmware Double X X Link Firmware Single A Firmware Single X Firmware Triple X Knx Dali Firmware Triple X Knx Lon Firmware Triple X Knx M Bus Firmware Triple X Profinet Dali Firmware Triple X Profinet Knx Firmware Triple X Profinet Lon Firmware Triple X Profinet M Bus Firmware

Mbs-solutions Double-a Profibus Double-a X-link Double-x Can Double-x Dali Double-x Knx Double-x Lon Double-x M-bus Double-x Profinet Double-x X-link Single-a Single-x Triple-x Knx\+dali Triple-x Knx\+lon Triple-x Knx\+m-bus Triple-x Profinet\+dali Triple-x Profinet\+knx Triple-x Profinet\+lon Triple-x Profinet\+m-bus Universal Gateway Firmware

MITRE

Status: PUBLISHED

Assigner: CERTVDE

Published: 2026-06-03T10:38:23.515Z

Updated: 2026-06-09T10:38:45.361Z

Reserved: 2026-04-01T08:28:27.141Z

Link: CVE-2026-35075

Vulnrichment

Updated: 2026-06-03T12:41:02.684Z

NVD

Status : Analyzed

Published: 2026-06-03T13:16:19.407

Modified: 2026-06-08T17:17:58.250

Link: CVE-2026-35075

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-05T10:12:03Z

Weaknesses

CWE-1393

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object