CVE-2026-35082: MBS Solutions Gateway Firmware Path Traversal - File Access Vulnerability
A vulnerability in MBS Solutions' universal gateway firmware and related products allows an authenticated user to read arbitrary files from the affected system. The ugw-logread method does not properly validate file path inputs, enabling attackers with legitimate user credentials to bypass access controls and retrieve sensitive data they shouldn't be able to access. This is a local file disclosure issue that requires valid user credentials to exploit.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-22
- Affected products
- 19 configuration(s)
- Published / Modified
- 2026-06-03 / 2026-07-03
NVD description (verbatim)
The ugw-logread method allows a remote attacker with user privileges to access arbitrary local files due to insufficient validation of user-supplied input.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-35082 is a path traversal vulnerability (CWE-22) in the ugw-logread functionality across MBS Solutions' gateway and protocol adapter product line. The flaw stems from insufficient input validation on user-supplied parameters, permitting authenticated attackers to construct requests that traverse directory structures and access files outside intended boundaries. The CVSS 3.1 score of 8.8 reflects high severity due to the combination of network accessibility, low attack complexity, and the confidentiality and integrity impacts achievable with user-level privileges. The attack does not require user interaction and affects the system's security posture significantly.
Business impact
Organizations running MBS Solutions gateway infrastructure face potential exposure of sensitive configuration files, credentials, system logs, and proprietary data accessible through the ugw-logread method. In operational environments—particularly those managing building automation, industrial protocols, or critical infrastructure—unauthorized file access could compromise system integrity, enable lateral movement, or expose compliance-sensitive information. The requirement for user-level credentials narrows the immediate attack surface but increases insider threat risk and the impact of compromised accounts. Downtime from investigation or remediation could disrupt connected protocols and dependent systems.
Affected systems
The vulnerability affects MBS Solutions' entire universal gateway firmware family, including firmware deployed on single-adapter models (single-a, single-x), dual-protocol variants (double-a, double-x series covering PROFIBUS, X-Link, CAN, DALI, KNX, LON, M-Bus, PROFINET), and multi-protocol triple-x configurations. Any deployment using these gateway products with active user accounts is potentially vulnerable. Organizations should inventory all gateway devices running affected firmware versions to determine exposure.
Exploitability
Exploitation requires valid user credentials and network access to the affected gateway. An authenticated user—whether internal staff, third-party integrators, or a compromised account—can craft requests to ugw-logread specifying arbitrary file paths. The low attack complexity and absence of additional interaction requirements make exploitation straightforward once credentials are obtained. The vulnerability does not appear on the CISA KEV catalog, indicating no evidence of active exploitation in the wild at this time, though this does not preclude targeted attacks in specialized industrial environments.
Remediation
Organizations must apply security updates from MBS Solutions that address input validation in the ugw-logread method. Verify the specific patched firmware versions applicable to each deployed gateway model through the vendor's security advisory. Interim mitigations include restricting network access to gateway management interfaces via firewall rules, limiting user account creation to essential personnel only, and monitoring file access logs for anomalous patterns. Credential rotation for users with gateway access is advisable, particularly if account compromise is suspected.
Patch guidance
Contact MBS Solutions directly or consult their security advisory for patched firmware versions specific to your gateway model and protocol configuration. Updates should be tested in a staging environment before production deployment to ensure compatibility with existing protocol bindings and integrations. Schedule patching during maintenance windows to minimize disruption to connected systems. Verify successful patch application by confirming firmware version updates through management interfaces.
Detection guidance
Monitor gateway logs for unusual ugw-logread requests, particularly those containing path traversal sequences (e.g., '../', '..\\') or requests targeting sensitive file locations (/etc, /root, system directories). Implement network-level logging for management traffic to gateway devices. Track authentication events and failed access attempts. Organizations with SIEM or log aggregation can correlate suspicious file read patterns across multiple gateways. File integrity monitoring on gateway systems can detect unauthorized file access attempts.
Why prioritize this
The 8.8 CVSS score and HIGH severity classification reflect the combination of network reachability, high confidentiality and integrity impact, and broad product coverage across MBS Solutions' gateway portfolio. While exploitation requires valid credentials, this remains a significant risk in environments with shared or inherited user accounts, third-party service access, or where credential compromise is plausible. The vulnerability affects foundational infrastructure in industrial and building automation networks, making timely remediation critical to maintain system trustworthiness.
Risk score, explained
The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) assigns a score of 8.8 because: (1) Network accessibility (AV:N) allows remote exploitation without proximity; (2) Low attack complexity (AC:L) means standard tools and methods suffice; (3) Privileges required (PR:L) limits the attacker to user-level access but does not eliminate common attack paths like compromised service accounts; (4) No user interaction required (UI:N) enables automated exploitation; (5) High confidentiality, integrity, and availability impacts (C:H, I:H, A:H) reflect the ability to read, potentially modify, and disrupt system files. The score reflects a serious vulnerability requiring prompt remediation.
Frequently asked questions
Do we need valid credentials to exploit this vulnerability?
Yes. CVE-2026-35082 requires an authenticated user with valid credentials to access the gateway. This means the attacker must already have a user account or must have compromised one. This requirement reduces the exposed attack surface but does not eliminate risk—compromised accounts, inherited credentials, or excessive account provisioning can all create exploitation opportunities.
Is this vulnerability currently being exploited in the wild?
No. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog, indicating no documented active exploitation as of the advisory date. However, the absence of public reporting does not guarantee absence of targeted attacks in specialized industrial environments or by sophisticated threat actors.
What's the difference between this vulnerability and a general privilege escalation?
This is a path traversal (directory traversal) vulnerability that allows reading files outside the intended directory scope. It does not directly elevate privileges but enables unauthorized information disclosure to users who already have basic access. An attacker cannot elevate to root or admin through this flaw alone, but they can access sensitive files that would normally be restricted.
Should we take this vulnerability seriously if most users don't have direct gateway access?
Yes. Even if end users don't interact with gateways directly, service accounts, automation scripts, integrators, and remote management tools often do. Compromised service accounts or shared credentials pose a real risk. Additionally, in flat-network industrial environments, lateral movement from one compromised system can grant gateway access. Prioritize patching based on the sensitivity of files stored on your gateways and the trustworthiness of all accounts with access.
This analysis is based on vulnerability data published as of the advisory date and does not constitute a substitute for vendor security advisories or professional risk assessment. Specific patch versions, affected build numbers, and detailed remediation steps must be verified against official MBS Solutions security communications. Organizations should conduct internal testing and impact analysis before applying patches to production systems. SEC.co assumes no liability for decisions made based on this intelligence. Consult your vendor and security team for guidance tailored to your environment. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2018-25408HIGHOpen ISES Project Path Traversal Vulnerability (High Severity)
- CVE-2024-40646HIGHVertex Path Traversal Vulnerability – Remote File Access Risk
- CVE-2026-10108HIGHUnauthenticated Path Traversal in xiaomusic v0.5.7 – File Read Vulnerability
- CVE-2026-32847HIGHDeepCode Path Traversal Allows Unauthenticated Arbitrary File Read
- CVE-2026-39276HIGHEmlog Pro v2.6.9 Path Traversal Remote Code Execution
- CVE-2026-43624HIGHF5-TTS Path Traversal Vulnerability (CVSS 8.2)
- CVE-2026-44594HIGHLocal File Inclusion in esm.sh CDN – HIGH Severity Information Disclosure
- CVE-2026-45017HIGHPython Liquid Path Traversal Allows Arbitrary File Read