HIGH 8.1

CVE-2026-35079: MBS Solutions Gateway File Deletion Vulnerability (CVSS 8.1)

CVE-2026-35079 is a file deletion vulnerability in MBS Solutions' Universal Gateway firmware and related gateway products. An attacker who already has valid user credentials can exploit the ugw-restore method to delete arbitrary files on the device. Because the vulnerability requires existing user access, the risk depends heavily on your organization's internal security posture and whether these devices are exposed to untrusted users.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.1 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Weaknesses (CWE)
CWE-73
Affected products
19 configuration(s)
Published / Modified
2026-06-03 / 2026-07-03

NVD description (verbatim)

The ugw-restore method allows a remote attacker with user privileges to delete arbitrary local files due to insufficient validation of user-controlled input.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The ugw-restore method in MBS Solutions gateway firmware fails to properly validate user-supplied input, enabling a locally-authenticated remote attacker to delete arbitrary files. This reflects a classic input validation weakness (CWE-73: External Control of File Name or Path) where user input is passed directly to file operations without sanitization. The CVSS 3.1 score of 8.1 reflects high integrity and availability impact via network access, moderated by the requirement for prior authentication.

Business impact

Successful exploitation could result in denial of service, loss of gateway configuration, deletion of audit logs or operational data, and potential cascading failures in industrial gateway networks. Organizations operating these devices in critical infrastructure or process automation environments face significant operational risk if attackers with valid credentials exploit this method.

Affected systems

The vulnerability affects MBS Solutions' Universal Gateway firmware and 18 identified gateway product variants, including models supporting Profibus, M-Bus, KNX, DALI, LON, Profinet, CAN, and X-Link protocols. Organizations should identify deployed instances of any single-a, double-a, double-x, triple-x, or universal_gateway_firmware products in their environments.

Exploitability

Exploitation requires valid user credentials and network access to the affected device, reducing opportunistic attack surface. However, the flaw does not require special configuration or user interaction, and the attack vector is network-accessible. Insider threats, compromised service accounts, or weak credential hygiene could substantially increase real-world risk. The vulnerability is not yet flagged in the CISA KEV catalog, though this does not diminish its severity in environments where authentication boundaries are weak.

Remediation

Apply vendor patches immediately if available; consult MBS Solutions advisories for specific version numbers and product SKUs. In parallel, restrict network access to gateway management interfaces via firewall rules, disable the ugw-restore method if unused, and enforce strong authentication and access controls. Monitor device logs for suspicious restore attempts and file deletions.

Patch guidance

Verify the latest firmware version available from MBS Solutions for each product variant in your deployment. Patch releases are typically backported across the gateway product line. Establish a pre-production test window to confirm patches do not disrupt operational protocols (Profibus, KNX, etc.) before full rollout. Document baseline configurations before patching to ease rollback if needed.

Detection guidance

Monitor syslog, firmware logs, or device management interfaces for invocations of the ugw-restore method, particularly from unexpected source IP addresses or accounts. Track file deletion events within the firmware. Implement integrity monitoring on configuration files and critical system binaries. Alert on failed authentication attempts followed by successful restore calls, which may indicate credential compromise. Network segmentation can limit lateral movement if one gateway is breached.

Why prioritize this

A CVSS 8.1 HIGH severity score combined with broad product impact justifies rapid remediation. While authentication is required, this is a high-value target in industrial and gateway environments. The flaw enables attackers to disable logging or configurations, making containment and forensics harder post-breach. Prioritize patching gateways in critical infrastructure, air-gapped networks, and zones where insider threat risk is elevated.

Risk score, explained

The CVSS 8.1 reflects network accessibility, high integrity impact (file deletion), high availability impact (DoS through configuration loss), and a requirement for low-privilege user authentication. The attack complexity is low—no special conditions or exploits needed beyond valid credentials. Integrity and availability are both marked high because file deletion is permanent and can paralyze gateway function. The attack surface is NOT significantly reduced by the authentication requirement in environments where service accounts are shared, credentials are weak, or insider threat is a concern.

Frequently asked questions

Does this vulnerability require administrative privileges to exploit?

No. The vulnerability requires only valid user-level credentials. An attacker with any legitimate account can invoke ugw-restore to delete arbitrary files, making it a significant insider risk and a concern if credentials are compromised or shared.

Can this be exploited over the internet?

Yes, if the gateway is accessible on a network and authentication is available. This includes remote access via VPNs, cloud gateways, or if the device is directly internet-facing. Network segmentation and strict access controls are critical mitigations.

Is there a workaround if I cannot patch immediately?

Disable or restrict network access to the ugw-restore method if your gateway firmware or management interface supports fine-grained control. Implement IP-level firewall rules to limit access to gateway management ports. Enforce multi-factor authentication if available. These steps reduce attack surface while you prepare for patching.

Which MBS Solutions products are affected?

The vulnerability affects Universal Gateway firmware and all documented gateway product variants, including single-a, double-a, double-x, and triple-x series across Profibus, M-Bus, KNX, DALI, LON, Profinet, CAN, and X-Link protocol support. Check the vendor advisory for exact affected versions.

This analysis is based on publicly available CVE data current as of the publication date. Specific patch versions, availability, and remediation timelines must be verified against MBS Solutions' official security advisories and product documentation. SEC.co makes no representation regarding the completeness or accuracy of vendor information. Organizations should conduct their own vulnerability assessment and testing in accordance with their risk management policies. This document is for informational purposes and does not constitute professional security advice. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).