HIGH 8.1

CVE-2026-35080: MBS Solutions Gateway Firmware Arbitrary File Deletion Vulnerability

A flaw in MBS Solutions gateway firmware allows authenticated users to delete files they shouldn't have access to. An attacker with valid login credentials can exploit the ugw-restoreinfo method to remove arbitrary files from affected devices, potentially disrupting operations or destroying critical system data. The vulnerability requires existing user privileges but poses a serious risk to the integrity and availability of gateway-based infrastructure.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.1 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Weaknesses (CWE)
CWE-73
Affected products
19 configuration(s)
Published / Modified
2026-06-03 / 2026-07-03

NVD description (verbatim)

The ugw-restoreinfo method allows a remote attacker with user privileges to delete arbitrary local files due to insufficient validation of user-controlled input.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-35080 is a CWE-73 (External Control of File Name or Path) vulnerability in MBS Solutions Universal Gateway Firmware and derived product lines. The ugw-restoreinfo API method fails to properly validate user-supplied input before performing file operations, allowing an authenticated attacker to specify arbitrary file paths for deletion. The CVSS v3.1 score of 8.1 (HIGH) reflects a network-accessible attack requiring low privilege and no user interaction, with high impact on integrity and availability but no confidentiality breach.

Business impact

Organizations deploying MBS Solutions gateways face potential data loss and operational disruption. Industrial control environments relying on Double-A, Double-X, or Triple-X gateway variants for protocol bridging (Profibus, Profinet, KNX, DALI, Modbus, M-Bus, Lon, CAN, X-Link) could experience unplanned downtime if critical configuration or system files are deleted. Supply chain integrators and facility automation operators should assess whether their deployed instances contain sensitive files in predictable locations that an insider or compromised account could target.

Affected systems

All MBS Solutions gateway product lines running Universal Gateway Firmware are affected, including: Double-A Profibus, Double-X variants (CAN, DALI, KNX, Lon, M-Bus, Profinet, X-Link), Single-A, Single-X, and all Triple-X combinations (KNX+DALI, KNX+Lon, KNX+M-Bus, Profinet+DALI, Profinet+KNX, Profinet+Lon, Profinet+M-Bus). Organizations should verify exact firmware versions in use; patch guidance from the vendor will specify which versions are vulnerable and which contain fixes.

Exploitability

Exploitation requires valid user credentials—this is not an unauthenticated attack. However, the barrier is relatively low: many organizations grant local technicians or remote support personnel user-level access to gateway administration. Once authenticated, an attacker can craft a malicious request to the ugw-restoreinfo endpoint specifying a file path, bypassing intended access controls. No special tools or advanced techniques are required beyond standard HTTP/API interaction, making the attack straightforward for an insider threat or compromised account scenario.

Remediation

Contact MBS Solutions immediately to obtain patched firmware versions for your specific gateway model and deployment. Isolate affected gateways to trusted networks with strict access controls pending patch availability. Implement network segmentation so that gateway administration interfaces are not directly reachable from untrusted zones. Review user access logs for suspicious restoreinfo method calls and audit which users currently hold administrative credentials. Consider temporary user account audits to identify unnecessary high-privilege assignments.

Patch guidance

MBS Solutions should release firmware updates for Universal Gateway Firmware addressing the input validation flaw in the ugw-restoreinfo method. Verify against the vendor advisory for specific patched version numbers for each product line (Double-A, Double-X, Single-A, Single-X, Triple-X variants). Plan a maintenance window to apply patches; coordinating with MBS Solutions support is recommended to confirm compatibility and deployment procedures. Test patches in a non-production environment first, as gateway firmware updates may require device reboot.

Detection guidance

Monitor gateway logs and API request logs for calls to the ugw-restoreinfo method, especially those containing file path parameters pointing to system or configuration directories. Alert on successful deletions or errors related to file operations triggered by non-administrative user accounts. Implement a baseline of legitimate restoreinfo calls during normal operation and flag deviations. Network IDS/IPS rules should be updated once the vendor confirms the exact request signatures associated with exploitation attempts.

Why prioritize this

This vulnerability merits prompt attention due to its HIGH CVSS score, the broad attack surface across multiple MBS Solutions product lines, and the direct threat to data integrity and system availability. While authentication is required, the consequence of successful exploitation—arbitrary file deletion—can be severe in industrial control and facility automation environments where gateway configuration and firmware are often stored locally. Organizations should prioritize patching after confirming they run vulnerable firmware versions.

Risk score, explained

CVSS 8.1 reflects: (1) network accessibility (no physical proximity required), (2) low privilege barrier (standard user credentials sufficient), (3) no user interaction required for exploitation, (4) scope unchanged (impact is localized to the affected component), (5) high integrity impact (files can be deleted), and (6) high availability impact (loss of critical files can disrupt operations). The absence of confidentiality impact prevents a critical rating.

Frequently asked questions

Do I need administrator privileges to exploit this vulnerability?

No. The vulnerability requires valid user-level credentials, not administrative access. Any authenticated user of the gateway can potentially trigger the flaw, making it accessible to support staff, technicians, or other personnel with standard gateway accounts.

What file types are at risk?

The vulnerability allows deletion of arbitrary local files, including configuration files, firmware backups, logs, and system files. Attackers could delete files they discover through reconnaissance or target commonly named critical files. The specific impact depends on your deployment and file structure.

Is this vulnerability currently being exploited in the wild?

This vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog at this time, suggesting no widespread active exploitation has been confirmed. However, organizations should not rely on this; exploitation could begin once patches are released or if targeted attacks occur.

Can I mitigate this while waiting for a patch?

Implement strict network access controls to limit who can reach the gateway's API. Disable or restrict the ugw-restoreinfo method if your gateway firmware offers that configuration option. Audit and minimize user accounts with gateway access privileges. Enable detailed logging of all API calls. These measures reduce risk but do not eliminate it; patching remains essential.

This analysis is based on publicly available vulnerability data as of the publication date. Patch version numbers and detailed remediation procedures must be verified against official MBS Solutions vendor advisories. Organizations should conduct their own risk assessment based on deployment specifics, network topology, and access controls. No proof-of-concept or weaponized exploitation details are provided herein. Security professionals should coordinate with MBS Solutions support and follow change management procedures when deploying patches to production gateway infrastructure. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).