CVE-2026-35077: MBS Solutions Gateway Arbitrary File Deletion Vulnerability (CVSS 8.1)
A vulnerability in MBS Solutions gateway products allows authenticated users to delete files they shouldn't have access to. An attacker with valid user credentials can exploit the ugw-delete-file method to remove arbitrary files from affected systems by bypassing input validation controls. This is especially concerning in industrial automation environments where these gateways often handle critical protocol conversions and data flows.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.1 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
- Weaknesses (CWE)
- CWE-73
- Affected products
- 19 configuration(s)
- Published / Modified
- 2026-06-03 / 2026-07-03
NVD description (verbatim)
The ugw-delete-file method allows a remote attacker with user privileges to delete arbitrary local files due to insufficient validation of user-controlled input.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-35077 is a file deletion vulnerability affecting MBS Solutions' universal gateway firmware and related Double/Single/Triple-X product variants. The ugw-delete-file method fails to properly validate user-supplied input, permitting authenticated attackers to construct requests that delete arbitrary files on the target system. The vulnerability is classified under CWE-73 (External Control of File Name or Path) and carries a CVSS 3.1 score of 8.1 (HIGH) with the vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H. The network-accessible attack surface, low complexity, and requirement for only basic user-level privileges make this a high-severity issue in environments where these gateways are deployed.
Business impact
Successful exploitation could disrupt industrial processes by corrupting or removing critical configuration files, firmware components, or operational logs. In protocol gateway applications (Profibus, ProfiNET, KNX, DALI, LON, M-Bus, CAN, X-Link), file deletion attacks may cause loss of converter settings, gateway state information, or audit trails. For organizations relying on these products for industrial control system (ICS) integration, this vulnerability poses operational continuity and data integrity risks. Compliance auditing capabilities may be compromised if log files are targeted.
Affected systems
MBS Solutions' universal gateway firmware and 18 gateway product variants are affected, including the Single-A, Single-X, and Double-X lines, as well as multi-protocol Triple-X products combining KNX, DALI, LON, M-Bus, and ProfiNET modules. Any deployment of these gateways in production environments—particularly those managing protocol translation in manufacturing, building automation, or utility networks—requires assessment and remediation.
Exploitability
This vulnerability requires valid user credentials to exploit; it is not unauthenticated remote code execution. However, user-level privileges are sufficient—no administrator role is necessary. The attack is network-accessible and requires minimal interaction, making it attractive to insider threats or attackers who have compromised standard user accounts. The lack of a public KEV entry suggests limited widespread exploitation detected to date, but the ease of exploitation once authenticated warrants proactive remediation.
Remediation
Consult MBS Solutions' vendor advisories for patched firmware versions specific to your product variant. Given the breadth of affected products, verify patch availability for your exact gateway model and protocol modules. Apply security updates in a maintenance window appropriate for your operational environment. Additionally, implement network segmentation to limit gateway access to authorized administrative interfaces, and enforce the principle of least privilege for user accounts that interact with these systems.
Patch guidance
Contact MBS Solutions support or review their security bulletins to obtain patched firmware versions for your specific gateway product and protocol modules (e.g., universal_gateway_firmware, Double-A Profibus, Triple-X ProfiNET+KNX, etc.). Test patches in a non-production environment to confirm compatibility with your protocol configurations and connected devices. Establish a maintenance window to deploy updates, as firmware upgrades may require gateway restart and temporary service interruption. Document pre- and post-patch validation of gateway functionality across supported protocols.
Detection guidance
Monitor for unexpected file deletion attempts on gateway systems, particularly targeting configuration, firmware, or log directories. Review gateway access logs and authentication records for unusual user activity patterns—legitimate administrative operations should follow predictable schedules and involve known accounts. Network intrusion detection can flag suspicious uploads or unusual method invocations targeting the ugw-delete-file endpoint. Where possible, enable detailed file system auditing on the gateway platform to capture deletion events and correlate them with user sessions.
Why prioritize this
Although this vulnerability requires authentication, the combination of network accessibility, low attack complexity, and high impact on file integrity in industrial infrastructure merits prioritization. User-level compromise or insider threats can directly trigger arbitrary file deletion with cascading effects on gateway operations. Organizations managing multiple protocol integrations through these gateways should treat this as a medium-to-high urgency remediation item, particularly if their user base includes contractors or external integrators.
Risk score, explained
The CVSS 3.1 score of 8.1 reflects a HIGH severity rating driven by high impact on integrity and availability, network accessibility, and low barriers to exploitation for authenticated users. The score does not include confidentiality impact, as the vulnerability does not enable unauthorized data exfiltration. The requirement for valid credentials (PR:L) prevents a critical score, but the ease of mounting attacks once authenticated, combined with potential operational consequences in industrial settings, justifies the 8.1 assessment.
Frequently asked questions
Do we need to patch immediately if we have network segmentation isolating our gateways?
Network segmentation is a valuable control but does not eliminate the need to patch. If any authenticated user or administrator can reach the gateway, the vulnerability remains exploitable. Prioritize patching alongside your segmentation strategy to achieve defense-in-depth.
Will patching these gateways disrupt our manufacturing processes?
Firmware updates typically require a restart, causing temporary loss of protocol translation. Plan patches during maintenance windows when bridged networks can tolerate downtime. Test patches in a lab environment first to validate compatibility with your specific protocol modules and connected devices.
How can we tell if someone has already exploited this vulnerability?
Review gateway system logs and file integrity monitoring records for unexpected deletion events, especially in configuration or firmware directories. Cross-reference deletion timestamps with user authentication logs and administrator activities to identify anomalies. Enable detailed auditing if not already active.
Are there mitigations if we cannot patch immediately?
Implement strict access controls to limit which user accounts can interact with the gateway, disable remote access where possible, and enhance monitoring of file system changes. These are temporary measures—patching remains the primary remediation.
This analysis is based on publicly disclosed information and vendor data current as of the publication date. CVSS scores and vulnerability details are subject to updates from MBS Solutions and NIST. Patch availability, version numbers, and timelines should be verified directly with MBS Solutions' official security advisories before deployment. This document does not constitute legal or compliance advice; consult your organization's security and compliance teams regarding breach notification obligations and remediation priorities. No exploit code or weaponized proof-of-concept is provided herein. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-35076HIGHMBS Solutions Gateway Arbitrary File Deletion Vulnerability
- CVE-2026-35078HIGHArbitrary File Deletion in MBS Solutions Gateway Firmware
- CVE-2026-35079HIGHMBS Solutions Gateway File Deletion Vulnerability (CVSS 8.1)
- CVE-2026-35080HIGHMBS Solutions Gateway Firmware Arbitrary File Deletion Vulnerability
- CVE-2026-10694HIGHRemote File Inclusion in SourceCodester Online Food Ordering System 2.0
- CVE-2026-10558MEDIUMSourceCodester Pizzafy 1.0 File Inclusion Vulnerability – Admin RCE Risk
- CVE-2026-10559MEDIUMFile Inclusion in SourceCodester Pizzafy Ecommerce System 1.0
- CVE-2026-20175MEDIUMCisco Finesse Remote File Injection via Client-Side Request Validation Bypass