CVE-2026-35078: Arbitrary File Deletion in MBS Solutions Gateway Firmware
A vulnerability in MBS Solutions gateway products allows authenticated users to delete files from affected systems without proper authorization. An attacker with valid user credentials can exploit the ugw-logstop method to remove arbitrary files, potentially disrupting system operations or destroying evidence. This is classified as a high-severity flaw because it requires only standard user access and can cause significant damage to system integrity and availability.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.1 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
- Weaknesses (CWE)
- CWE-73
- Affected products
- 19 configuration(s)
- Published / Modified
- 2026-06-03 / 2026-07-03
NVD description (verbatim)
The ugw-logstop method allows a remote attacker with user privileges to delete arbitrary local files due to insufficient validation of user-controlled input.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-35078 exists in the ugw-logstop method across MBS Solutions' Universal Gateway firmware and related Double-X, Triple-X, and Single-X product lines. The vulnerability stems from insufficient input validation (CWE-73: External Control of File Name or Path) that fails to properly restrict file deletion operations. An authenticated attacker can craft malicious requests to delete arbitrary local files on the affected device. The CVSS 3.1 score of 8.1 (HIGH) reflects the combination of network-accessible attack surface, low complexity, requirement for user-level privileges, and high impact to both integrity and availability. No user interaction is required for exploitation.
Business impact
Organizations deploying MBS Solutions gateway equipment in industrial control, building automation, or protocol conversion roles face operational risk. Successful exploitation could result in loss of critical system files, configuration corruption, inability to access logs or historical data, and potential system instability or downtime. In environments where these gateways manage mission-critical protocol translation or data logging, file deletion could impact process visibility, compliance audit trails, or failover mechanisms. Attackers with compromised user credentials—whether through phishing, credential reuse, or insider threats—can cause immediate damage without requiring elevated privileges.
Affected systems
The vulnerability affects MBS Solutions' Universal Gateway firmware and all variants of Double-A, Double-X, Single-A, Single-X, and Triple-X product lines. These include protocol-specific variants such as Profibus, X-Link, CAN, DALI, KNX, LON, M-Bus, and Profinet adapters, as well as multi-protocol versions. Any organization using these gateways for protocol conversion, data logging, or industrial/building automation integration should verify their installed versions and patch status.
Exploitability
This vulnerability requires valid user credentials; it is not remotely exploitable by unauthenticated attackers. However, the bar for exploitation is low: any legitimate user account—including those with standard (non-administrative) privileges—can trigger the attack over the network. Given the prevalence of credential compromise, credential sharing, or weak password practices in operational technology environments, the practical exploitability is moderate to high. The complexity of launching the attack is low; no special conditions or race conditions are required. No public exploit code is documented at this time, and the vulnerability is not tracked on the CISA Known Exploited Vulnerabilities (KEV) catalog.
Remediation
Organizations should immediately identify and inventory all MBS Solutions gateways in their environments. Check the vendor advisory for patched firmware versions applicable to your specific product variant. Apply patches to all affected devices according to your change management process. In parallel, implement access controls to limit user account creation and enforce strong authentication; restrict network access to gateway management interfaces where possible. Monitor and audit user activity on gateway devices to detect suspicious file deletion patterns. Consider isolating gateways that cannot be patched in the near term or implementing compensating controls such as read-only filesystem configurations if technically feasible.
Patch guidance
Consult the MBS Solutions security advisory for patched firmware versions specific to your product line and variant. Patches should address the input validation flaw in the ugw-logstop method. Follow your vendor's firmware upgrade procedure, which typically involves downloading the appropriate release, backing up configuration, and applying the update either locally or remotely. Verify that the patched version is confirmed in your environment post-deployment. If patch availability is delayed for your specific product variant, prioritize patching the most critical or exposed instances first.
Detection guidance
Monitor gateway logs and system audit trails for unusual file deletion operations, particularly those initiated by non-administrative users or during off-hours. Look for repeated failed or successful ugw-logstop method calls with suspicious file paths. Implement file integrity monitoring (FIM) on critical system directories to detect unauthorized deletions. Network-level detection should focus on unusual API or method calls to gateway management endpoints from inside the network. Check for anomalies in user account activity, such as logins from unusual locations or times followed by file deletion events. Correlate user activity logs with configuration change logs to identify patterns consistent with exploitation.
Why prioritize this
This vulnerability merits urgent attention due to its high CVSS score, the ease of exploitation by any authenticated user, and the direct impact on system integrity and availability. Unlike vulnerabilities requiring administrative privileges or user interaction, this one can be exploited by any account holder. Given the industrial and automation focus of affected products, file deletion could disrupt critical processes or destroy evidence needed for incident response. Organizations should prioritize patching or mitigating devices exposed to untrusted users or in high-availability environments.
Risk score, explained
The CVSS 3.1 score of 8.1 reflects: (1) network-accessible attack vector with low attack complexity; (2) requirement for low privileges (authenticated user level, not administrative); (3) no user interaction needed; (4) high impact to integrity (arbitrary file deletion) and availability (system instability or data loss); (5) unchanged scope (no privilege escalation to other systems). The score does not account for confidentiality because the vulnerability does not directly leak data, only destroys it. The high rating appropriately captures the serious operational risk posed by an easily-exploitable, integrity-destroying flaw in gateway appliances.
Frequently asked questions
Can this vulnerability be exploited by someone without a user account?
No. The vulnerability requires valid user credentials and authenticated access to the ugw-logstop method. However, any user account—including standard (non-administrative) accounts—can be weaponized to trigger the attack, so credential compromise or sharing is a realistic attack path.
What files can be deleted?
The vulnerability allows deletion of arbitrary local files on the affected device. The lack of input validation means an attacker can target system files, configuration files, logs, or any file accessible to the gateway's process. This makes the attack particularly damaging.
Is this vulnerability being actively exploited in the wild?
As of the last update, this vulnerability is not listed on CISA's Known Exploited Vulnerabilities catalog, and no public exploitation has been widely reported. However, the relative ease of exploitation means organizations should not rely on this as a reason to delay patching.
What should I do if I cannot patch immediately?
Prioritize access control measures: limit user account creation, enforce strong authentication, and restrict network access to gateway management interfaces. Enable audit logging and file integrity monitoring. Consider isolating critical gateways or implementing additional network segmentation. Develop and test an incident response plan specific to unauthorized file deletion scenarios.
This analysis is based on published vulnerability data as of the modification date (2026-07-03). Patch availability, affected versions, and vendor guidance may evolve; always consult the MBS Solutions official security advisory for authoritative information. The CVSS score and vector are derived from vendor submissions and represent point-in-time technical severity; organizational risk may differ based on deployment context, network exposure, and compensating controls. This document does not constitute legal or compliance advice. Organizations should validate all remediation steps in a test environment before production deployment. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-35076HIGHMBS Solutions Gateway Arbitrary File Deletion Vulnerability
- CVE-2026-35077HIGHMBS Solutions Gateway Arbitrary File Deletion Vulnerability (CVSS 8.1)
- CVE-2026-35079HIGHMBS Solutions Gateway File Deletion Vulnerability (CVSS 8.1)
- CVE-2026-35080HIGHMBS Solutions Gateway Firmware Arbitrary File Deletion Vulnerability
- CVE-2026-10694HIGHRemote File Inclusion in SourceCodester Online Food Ordering System 2.0
- CVE-2026-10558MEDIUMSourceCodester Pizzafy 1.0 File Inclusion Vulnerability – Admin RCE Risk
- CVE-2026-10559MEDIUMFile Inclusion in SourceCodester Pizzafy Ecommerce System 1.0
- CVE-2026-20175MEDIUMCisco Finesse Remote File Injection via Client-Side Request Validation Bypass