CVE-2026-35076: MBS Solutions Gateway Arbitrary File Deletion Vulnerability
A vulnerability in MBS Solutions gateway and protocol-conversion products allows authenticated users to delete files from the affected system without proper authorization. The flaw exists in the 'bac-scanresult' method, which fails to validate user-supplied input adequately. An attacker who has legitimate credentials can exploit this to remove critical files, potentially disrupting system operations or causing data loss.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.1 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
- Weaknesses (CWE)
- CWE-73
- Affected products
- 19 configuration(s)
- Published / Modified
- 2026-06-03 / 2026-07-03
NVD description (verbatim)
The bac-scanresult method allows a remote attacker with user privileges to delete arbitrary local files due to insufficient validation of user-controlled input.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-35076 is a CWE-73 (External Control of File Name or Path) vulnerability affecting the bac-scanresult method across MBS Solutions' gateway and dual/triple-protocol converter product line. The vulnerability stems from insufficient input validation on user-controlled parameters passed to file deletion operations. The CVSS 3.1 score of 8.1 (HIGH) reflects a network-accessible attack with low complexity, requiring only user-level privileges and no user interaction, resulting in high integrity and availability impact. The attack vector targets the administrative or operational interface of these industrial gateway devices.
Business impact
Compromised file integrity on gateway devices poses significant operational risk. Deletion of configuration files could render protocol conversion non-functional, disrupting communication between connected industrial systems. Loss of logs or firmware components may hinder incident response and system recovery. For organizations relying on these gateways for critical protocol bridging in manufacturing or building automation environments, exploitation could lead to unplanned downtime, inability to diagnose faults, and potential cascade failures in connected systems.
Affected systems
The vulnerability affects a broad range of MBS Solutions products across their gateway and protocol-bridge lineup: universal gateway firmware, and dual-protocol (Double-A, Double-X series) and triple-protocol (Triple-X series) converters supporting PROFIBUS, X-Link, CAN, DALI, KNX, LON, M-Bus, and PROFINET. Single-A and Single-X models are also impacted. Any deployment using these devices in networked configurations where users have authenticated access is potentially vulnerable.
Exploitability
The vulnerability requires valid user credentials but presents a straightforward exploitation path once authenticated. Network accessibility (AV:N) and low attack complexity (AC:L) mean that a user with legitimate system access—whether administrative, operational staff, or a compromised user account—can invoke the bac-scanresult method with malicious file path parameters to delete arbitrary files. No special tools or advanced techniques are required; the attack is likely reproducible through standard API calls or management interfaces. Exploit code has not been publicly disclosed, and this CVE is not currently tracked in CISA's Known Exploited Vulnerabilities catalog.
Remediation
Organizations must patch affected MBS Solutions products to versions that implement proper input validation and path sanitization for the bac-scanresult method. Consult MBS Solutions security advisories and product documentation for specific patched firmware versions applicable to each product variant. In parallel, restrict network and administrative access to gateway management interfaces using firewall rules, VPN access controls, and role-based access policies. Monitor user authentication logs for suspicious activity, particularly unusual file-deletion patterns or failed access attempts to sensitive configuration areas.
Patch guidance
Contact MBS Solutions directly or check their security portal for firmware updates addressing CVE-2026-35076. Verify that the patched version explicitly closes CWE-73 input validation on the bac-scanresult method. Test patches in a staging environment before deploying to production gateways to ensure protocol functionality is not disrupted. Document the patch date and version in your asset inventory. Given the broad product range affected, plan a phased rollout aligned with your maintenance windows and protocol criticality.
Detection guidance
Monitor gateway logs and audit trails for invocations of the bac-scanresult method with unusual or suspicious file path parameters, particularly those targeting configuration, firmware, or log directories. Network intrusion detection systems (IDS) should flag attempts to access gateway management interfaces from unexpected source IPs or with unusual authentication patterns. Check for unexpected file deletions on affected gateways using file integrity monitoring (FIM) tools. Correlate authentication logs with file-system logs to identify user accounts performing unauthorized file operations. Review access control lists on gateway management interfaces to ensure only authorized personnel and systems can invoke administrative methods.
Why prioritize this
Despite not being on the KEV list, this vulnerability warrants high priority due to its CVSS 8.1 score, broad product scope, and the critical nature of industrial gateway devices in networked environments. The combination of network accessibility and high availability/integrity impact means that even low-privilege authenticated users pose a significant threat. Industrial environments often have long patch cycles; organizations should treat this as urgent to reduce the window of vulnerability before active exploitation becomes widespread.
Risk score, explained
The CVSS 3.1 score of 8.1 reflects: (1) Network Attack Vector—the method is accessible remotely without requiring physical proximity; (2) Low Attack Complexity—no special conditions or race conditions are needed; (3) Low Privileges Required—valid user credentials suffice, not administrative elevation; (4) No User Interaction—the attack is autonomous once triggered; (5) Unchanged Scope—the impact is confined to the affected system; (6) High Integrity and Availability Impact—arbitrary file deletion directly undermines file integrity and can render systems unavailable. The absence of confidentiality impact (the attacker does not read files) prevents a CRITICAL score, but the combined integrity and availability loss justifies HIGH severity.
Frequently asked questions
Can an attacker without credentials exploit this vulnerability?
No. The vulnerability requires valid user-level credentials (PR:L in the CVSS vector). An attacker must have a legitimate account or must first compromise one to leverage bac-scanresult. This is why restricting administrative access to gateway interfaces is a critical control.
What is CWE-73 and why does it matter here?
CWE-73 (External Control of File Name or Path) describes cases where user-supplied input is used directly in file operations without proper validation. In this case, the bac-scanresult method likely concatenates user input into a file path without checking for directory traversal or absolute paths, allowing deletion of any file the gateway process has permission to delete.
Are all MBS Solutions products equally affected?
All products listed—universal gateway firmware and both dual/triple-protocol converters—are known to be affected. However, exposure depends on deployment: if a gateway is isolated on a private network with restricted user access, the practical risk is lower. Gateways exposed to untrusted networks or with overly permissive user accounts face greater risk.
What should we do if we cannot patch immediately?
Implement compensating controls: restrict network access to gateway management interfaces via firewall rules; enforce strong authentication and limit user accounts with access; enable detailed logging of all gateway management activity; monitor file-system changes on affected devices; and consider isolating critical gateways on air-gapped or heavily segmented networks until patches can be applied.
This analysis is based on publicly available information as of the CVE publication date and known technical details. Organizations should verify patch availability and compatibility with their specific firmware versions and deployment configurations directly with MBS Solutions. This advisory does not constitute a guarantee of vulnerability presence or absence in any specific system and should be used in conjunction with your own security assessments and vendor guidance. Exploit code is not provided or endorsed. Always test patches in non-production environments before deployment. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-35077HIGHMBS Solutions Gateway Arbitrary File Deletion Vulnerability (CVSS 8.1)
- CVE-2026-35078HIGHArbitrary File Deletion in MBS Solutions Gateway Firmware
- CVE-2026-35079HIGHMBS Solutions Gateway File Deletion Vulnerability (CVSS 8.1)
- CVE-2026-35080HIGHMBS Solutions Gateway Firmware Arbitrary File Deletion Vulnerability
- CVE-2026-10694HIGHRemote File Inclusion in SourceCodester Online Food Ordering System 2.0
- CVE-2026-10558MEDIUMSourceCodester Pizzafy 1.0 File Inclusion Vulnerability – Admin RCE Risk
- CVE-2026-10559MEDIUMFile Inclusion in SourceCodester Pizzafy Ecommerce System 1.0
- CVE-2026-20175MEDIUMCisco Finesse Remote File Injection via Client-Side Request Validation Bypass