HIGH 8.8

CVE-2026-35084: Stack Buffer Overflow in MBS Solutions DALI-DevConfig – Root Privilege Escalation

A stack buffer overflow vulnerability in the dali-devconfig component affects a broad range of MBS Solutions gateway and protocol conversion devices. An attacker with basic user-level access to the network can send a specially crafted request that overwrites memory on the device, potentially achieving full root-level system compromise. This is a particularly serious issue because these devices typically operate as trusted infrastructure components in industrial and building automation networks, where an attacker gaining root access could manipulate critical system functions or pivot to downstream systems.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-121
Affected products
19 configuration(s)
Published / Modified
2026-06-03 / 2026-07-03

NVD description (verbatim)

A remote attacker with user privileges can exploit a stack buffer overflow in dali-devconfig to gain full system access as root.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-35084 is a stack-based buffer overflow (CWE-121) in the dali-devconfig configuration handler within MBS Solutions' multi-protocol gateway and conversion appliances. The vulnerability requires only low-privilege user authentication to trigger, meaning an attacker with basic network credentials—such as a default or shared service account—can craft an oversized input that corrupts the stack and enables arbitrary code execution as the root user. The attack does not require user interaction and can be executed over the network with minimal complexity, as reflected in the CVSS v3.1 score of 8.8 (HIGH).

Business impact

Compromise of these gateway devices could allow an attacker to intercept, modify, or block communications across critical industrial control, HVAC, lighting, and building management networks. In industrial settings, this could lead to production downtime or safety incidents. In commercial buildings, attackers could manipulate DALI lighting control, PROFINET sensor networks, KNX automation, or M-Bus utility metering. The wide product portfolio affected means organizations using MBS Solutions appliances across multiple protocol domains face a unified risk vector.

Affected systems

The vulnerability impacts 19 distinct MBS Solutions product variants, spanning single and multi-protocol gateways. Affected devices include those handling DALI, PROFINET, KNX, M-Bus, LON, CAN, Profibus, and X-Link protocols, as well as the Universal Gateway Firmware. Any organization running these appliances in production should treat this as a widespread exposure requiring immediate inventory verification and patching.

Exploitability

Exploitation is straightforward: an attacker who has obtained or bypassed authentication (through credential compromise, social engineering, or weak default credentials) can send a malformed configuration command to trigger the buffer overflow. The attack requires no special timing or race conditions, no user interaction on the target device, and functions across standard network protocols. The only friction is the requirement for authenticated access, which is minimal in many operational environments where service accounts are shared or poorly rotated.

Remediation

MBS Solutions has released or will release security patches addressing this stack overflow. Organizations must verify patch availability from the vendor's security advisory, test patches in non-production environments given the critical nature of these gateway devices, and coordinate staged deployment to avoid service disruption. Concurrent mitigation should include restricting network access to these devices via firewall rules and reviewing authentication logs for suspicious activity.

Patch guidance

Contact MBS Solutions directly or consult their official security advisory to obtain patched firmware versions for each affected product line. Given the diversity of protocol variants and use cases, patch compatibility and rollback procedures should be validated in a lab environment before production deployment. Prioritize devices that handle business-critical or safety-relevant protocols (PROFINET, KNX) and those exposed to untrusted networks. Document the firmware version before and after patching to enable rollback if required.

Detection guidance

Monitor network traffic to these devices for unusual authentication patterns, especially repeated failed logins or authentication from unexpected source IPs. Review device logs for configuration commands with abnormally large payloads or malformed dali-devconfig requests. Implement network-based anomaly detection to flag sudden changes in device behavior post-compromise, such as new outbound connections or altered protocol behavior. Capture and analyze core dumps if the device crashes unexpectedly, as this may indicate exploitation attempts.

Why prioritize this

This vulnerability combines high severity (CVSS 8.8), low attack complexity, and widespread product impact. While the CVSS does require authenticated access, many operational environments have weak access controls on these gateway appliances. The scope of the product family means a single patch cycle could reduce risk across multiple protocol domains simultaneously. Rapid patching significantly reduces the window of exposure before threat actors gain full system access on critical infrastructure appliances.

Risk score, explained

The CVSS v3.1 score of 8.8 reflects high confidentiality, integrity, and availability impact from root code execution, combined with network accessibility and low attack complexity. The score is appropriately high because compromise of these gateway appliances directly threatens both the confidentiality and integrity of industrial and building automation networks. The presence of authentication requirement prevents a perfect 9.8, but does not substantially reduce operational risk in environments where credentials are weak or shared.

Frequently asked questions

Do we need to patch all 19 product variants, or only the ones we use?

Patch only the specific product models and protocol variants deployed in your environment. However, if your organization runs multiple MBS Solutions devices across different protocols, treat patching as a coordinated initiative: prioritize devices handling time-critical or safety-relevant systems first, then move to management and monitoring appliances. Verify patch availability and compatibility for each variant with MBS Solutions support.

What if we cannot patch immediately due to operational constraints?

Implement compensating controls: restrict network access to these devices via firewall ingress rules, limit authenticated access to trusted service accounts only, and disable remote administration if not actively required. Monitor authentication attempts and configuration changes closely. Develop a patching timeline with your vendor and operations team, aiming for the shortest feasible window. An unpatched, externally accessible gateway device is a critical risk.

How would we know if one of these devices has been compromised?

Watch for unexpected process execution, new outbound connections, or changes to network routes and firewall rules on the device itself. Review authentication logs for suspicious login times or sources. If the device crashes or reboots unexpectedly, preserve logs and core dumps for forensic analysis. If you suspect compromise, isolate the device from the network, engage your incident response team, and contact MBS Solutions for support.

Are there any known attacks exploiting this vulnerability in the wild?

According to available intelligence, this vulnerability has not been added to CISA's Known Exploited Vulnerabilities (KEV) catalog. However, the low barrier to exploitation and the critical nature of affected devices make this an attractive target for state-sponsored and organized threat actors. Do not assume there is no active exploitation simply because KEV status is not yet assigned; patch proactively.

This analysis is based on published vulnerability data and vendor disclosures as of the modification date. Exploit details, patch release dates, and vendor statements are subject to change. Organizations should verify all patch versions, availability, and compatibility directly with MBS Solutions. This content is for informational and educational purposes and does not constitute professional security advice. Conduct your own risk assessment and consult qualified security professionals before implementing any remediation steps. SEC.co assumes no liability for third-party product vulnerabilities or the outcome of remediation efforts. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).