CVE-2026-35081: MBS Solutions Gateway Process Termination Vulnerability
A vulnerability in MBS Solutions' gateway and protocol conversion products allows authenticated users to remotely stop arbitrary processes on affected devices. An attacker who already has valid user credentials can exploit insufficient input validation in the ugw-logstop method to terminate critical services, potentially disrupting device functionality or causing a denial of service. This is a HIGH severity issue requiring prompt attention in networked industrial and building automation environments.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.1 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
- Weaknesses (CWE)
- CWE-20
- Affected products
- 19 configuration(s)
- Published / Modified
- 2026-06-03 / 2026-07-03
NVD description (verbatim)
The ugw-logstop method allows a remote attacker with user privileges to terminate arbitrary processes due to insufficient validation of user-supplied input.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-35081 is an input validation flaw (CWE-20) within the ugw-logstop method across MBS Solutions' Universal Gateway firmware and protocol bridge products. The vulnerability allows an authenticated attacker to pass malicious input that is insufficiently validated, resulting in arbitrary process termination on the target device. With a CVSS 3.1 score of 8.1, the attack requires network access and valid user privileges but no user interaction, and impacts both integrity and availability while maintaining confidentiality.
Business impact
For organizations deploying MBS Solutions gateways in facility management, building automation, or industrial control networks, this vulnerability poses a significant operational risk. Unauthorized or malicious process termination can disrupt protocol bridges, halt gateway services, and cascade into loss of communication between building systems or production networks. Incident response becomes complex in multi-vendor environments where gateway outages may not be immediately attributed to process kills. Regulatory compliance obligations (ISO 27001, NERC CIP, facility automation standards) may be triggered if availability targets are breached.
Affected systems
The Universal Gateway firmware and all Double-A, Double-X, Single-A, Single-X, and Triple-X variants are affected. These include protocol-specific models spanning PROFIBUS, X-Link, CAN, DALI, KNX, LON, M-Bus, and PROFINET interfaces, as well as multi-protocol combinations. Any MBS Solutions device running vulnerable firmware versions is at risk if user accounts exist on the system.
Exploitability
Exploitability is moderate to high. The attack requires prior authentication—an attacker must possess valid user credentials—but does not require social engineering, user interaction, or special environmental conditions. Network accessibility is sufficient; local access is not mandatory. The straightforward nature of input validation bypasses suggests proof-of-concept development is feasible for a moderately skilled attacker with insider knowledge or compromised credentials.
Remediation
MBS Solutions should release patched firmware versions for all affected product families. Until patches are available, organizations should enforce strict access controls limiting user account creation, implement network segmentation isolating gateway devices, and enable detailed logging of process termination events. Credential rotation and strong password policies reduce the attack surface for compromised user accounts.
Patch guidance
Contact MBS Solutions directly to determine patch availability and timeline for your specific gateway model and firmware version. Verify the firmware version currently deployed using the device management interface. Schedule patching during maintenance windows to avoid disruption to bridged networks. Test patches in a non-production environment before broad deployment, particularly in industrial or critical facility contexts.
Detection guidance
Monitor for unusual process termination events on deployed gateway devices, particularly targeting system-critical services. Review authentication logs for failed or successful logins from unexpected sources. Network-level detection is difficult without device logs; enable syslog forwarding or SNMP traps to a security information and event management (SIEM) system if the gateway supports it. Baseline normal process lifecycles and alert on deviations.
Why prioritize this
Despite not being listed in CISA's Known Exploited Vulnerabilities catalog as of the vulnerability's publication, this issue merits rapid prioritization due to its HIGH severity rating, the breadth of affected product variants, and the relative ease of exploitation by authenticated users. Gateway and protocol bridge devices are often critical path components; their compromise can disrupt downstream systems or networks. Organizations in regulated industries should treat this with the same urgency as a CRITICAL issue.
Risk score, explained
The CVSS 3.1 score of 8.1 (HIGH) reflects a network-accessible vulnerability requiring valid user credentials, achieving high impact on both integrity and availability while preserving confidentiality. The vector AV:N/AC:L/PR:L/UI:N/S:U reflects the modest barrier to entry (authentication) balanced against the severity of impact (process termination). The score does not account for the installed prevalence of these devices in facility automation, which elevates real-world risk for many organizations.
Frequently asked questions
Do we need user credentials to exploit this vulnerability?
Yes. The attacker must have valid user account credentials on the affected gateway device. This could be an administrative account, a standard user account, or a service account if provisioned. Credential compromise through phishing, insider threat, or password reuse significantly increases risk.
What happens if a critical gateway process is terminated?
Terminating core gateway processes typically disrupts protocol bridging or communication between networked systems. Depending on the process and system design, this might cause temporary service unavailability (if auto-restart is enabled), complete loss of gateway functionality, or cascading failures in downstream systems that depend on the gateway for communication.
Is this vulnerability actively exploited in the wild?
As of the publication date, this vulnerability is not documented in CISA's Known Exploited Vulnerabilities (KEV) catalog, and there is no public evidence of active exploitation. However, the straightforward nature of input validation bypasses makes exploitation plausible once attacker interest materializes, particularly if MBS Solutions devices are targeted by nation-state or organized crime groups.
How should we inventory our exposure to this CVE?
Identify all MBS Solutions gateway devices in your environment by model number and current firmware version. Check the device management web interface or command-line interface (CLI) for version information. Cross-reference against the vendor's advisory (when released) to confirm affected versions. Prioritize devices that bridge critical control networks or have external network exposure.
This analysis is based on vulnerability disclosure data published as of the modification date. Patch availability, remediation timelines, and vendor-specific guidance should be verified directly with MBS Solutions. This vulnerability requires authenticated access; however, credential compromise through phishing or insider threats should be considered in risk models. The real-world impact will vary based on device role, automation environment, and incident response capabilities. This material is provided for informational purposes and does not constitute legal or technical advice. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2025-22424HIGHAndroid Local Privilege Escalation via Image Disclosure
- CVE-2026-0078HIGHAndroid Privilege Escalation via DevicePolicyManagerService Desync
- CVE-2026-10020HIGHChrome Android Sandbox Escape via Skia Input Validation Flaw
- CVE-2026-10021HIGHGoogle Chrome USB Validation Flaw – RCE Vulnerability Patch
- CVE-2026-10863HIGHMISP Correlations Query Ordering Vulnerability (CVSS 8.1)
- CVE-2026-10904HIGHChrome V8 Sandbox Escape Remote Code Execution
- CVE-2026-10911HIGHChrome Sandbox Escape Vulnerability (High Severity)
- CVE-2026-10917HIGHChrome Media Sandbox Escape Vulnerability (High CVSS 8.3)