CVE-2026-35085: MBS Solutions Stack Buffer Overflow – Root Code Execution Risk
A stack buffer overflow vulnerability in gdv-serverconfig affects a broad range of MBS Solutions gateway and interface devices. An authenticated attacker with standard user privileges can send a specially crafted network request to trigger the overflow and execute arbitrary code with root-level system access. The vulnerability requires valid user credentials to exploit but no user interaction, making it a significant risk in environments where user account compromise is possible.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-121
- Affected products
- 19 configuration(s)
- Published / Modified
- 2026-06-03 / 2026-07-03
NVD description (verbatim)
A remote attacker with user privileges can exploit a stack buffer overflow in gdv-serverconfig to gain full system access as root.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-35085 is a stack buffer overflow (CWE-121) in the gdv-serverconfig component used across MBS Solutions' industrial gateway and protocol conversion product line. The vulnerability has a CVSS 3.1 score of 8.8 (HIGH), with a network attack vector, low attack complexity, and requirement for low-privilege user credentials. Successful exploitation allows an authenticated remote attacker to overwrite stack memory and achieve unauthenticated code execution with root privileges. The flaw exists in multiple product variants spanning protocols including PROFIBUS, PROFINET, KNX, DALI, M-Bus, LON, CAN, and X-Link.
Business impact
Organizations deploying MBS Solutions gateways for industrial automation, building controls, or protocol translation face direct risk of system compromise and potential loss of operational control. A successful exploit grants complete system access as root, enabling attackers to modify configurations, intercept or manipulate protocol communications, and potentially disrupt connected industrial or building systems. The broad product portfolio affected means many organizations may be exposed without immediate visibility. Remediation requires coordinated patching across multiple device types and firmware versions.
Affected systems
Affected products span MBS Solutions' gateway portfolio: Universal Gateway Firmware, Single-A, Single-X, Double-A PROFIBUS, Double-X variants (CAN, DALI, KNX, LON, M-Bus, PROFINET, X-Link), and Triple-X combinations (PROFINET+DALI, PROFINET+KNX, PROFINET+LON, PROFINET+M-Bus, KNX+DALI, KNX+LON, KNX+M-Bus). Organizations should audit inventory to identify which gateway models and firmware versions are deployed and applicable for patching.
Exploitability
Exploitation requires valid user account credentials on the target network or system, but no user interaction or social engineering is necessary once authenticated. The network attack vector and low attack complexity indicate that remote exploitation is straightforward. The vulnerability has not been added to the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date, though this does not guarantee absence of active exploitation. Organizations should assume adversaries capable of obtaining user credentials—whether through compromise, insider threat, or weak credential hygiene—pose an immediate risk.
Remediation
Verify the availability of patched firmware versions from MBS Solutions for each affected product variant and establish a phased patching strategy. Prioritize systems exposed to untrusted networks or handling sensitive protocol traffic. Apply patches in a controlled manner, accounting for potential service disruption during gateway restarts. Where immediate patching is not feasible, implement compensating controls: restrict network access to gateway management interfaces, limit user account privileges, and monitor for suspicious authentication or network activity targeting the affected components.
Patch guidance
Contact MBS Solutions directly or consult their security advisory to obtain patched firmware versions for your specific gateway models. Verify patch availability for all product variants in use before commencing deployment. Test patches in a non-production environment to confirm compatibility with your protocol configurations and downstream systems. Deploy patches during maintenance windows to minimize operational disruption. Document patching progress and maintain records of which devices and firmware versions have been updated for compliance and audit purposes.
Detection guidance
Monitor authentication logs for successful logins from unexpected sources or at unusual times, particularly for service accounts with higher privileges. Implement network-level detection for unusual outbound connections from gateway devices following authentication events. Review system call logs and process execution traces on affected devices for evidence of unexpected code execution or privilege escalation. Maintain baselines of normal gateway behavior and alert on deviations such as unexpected process spawning, memory corruption indicators, or abnormal stack activity. Consider implementing integrity monitoring on the gdv-serverconfig binary and its supporting libraries to detect tampering or exploitation attempts.
Why prioritize this
The combination of high CVSS score (8.8), network-accessible attack surface, low authentication barrier, and broad product portfolio justify immediate prioritization. The ability to achieve root-level code execution from a user-level account makes this a critical escalation path. The industrial automation and building controls domains served by these gateways mean successful exploitation could disrupt operational technology environments. While not yet in the KEV catalog, the straightforward exploitation requirements and sensitive asset class warrant rapid remediation.
Risk score, explained
The CVSS 3.1 score of 8.8 reflects high severity: network-accessible attack vector (AV:N), low attack complexity (AC:L), requirement for low-privilege user credentials (PR:L), no user interaction needed (UI:N), and the confidentiality, integrity, and availability impacts (C:H/I:H/A:H) all maximum. The primary limiting factor is the requirement for valid user credentials; however, this constraint is weak in environments with compromised accounts, shared credentials, or insider threats. Organizations should treat this as functionally equivalent to an unauthenticated remote code execution vulnerability when user account hygiene is poor.
Frequently asked questions
Which MBS Solutions products am I affected by?
All MBS Solutions gateway and protocol conversion products listed in the vendor_products field are potentially affected if they use the vulnerable gdv-serverconfig component. This includes the Universal Gateway Firmware and all Single-A, Single-X, Double-A, Double-X, and Triple-X product variants. Check your deployed inventory against the full product list and verify the firmware versions in use.
Do I need a zero-day patch immediately, or can I use compensating controls?
No public exploit code has been identified as of the publication date, and the vulnerability is not listed in CISA's KEV catalog. However, remediation should not be delayed indefinitely. If patched firmware is available from MBS Solutions, prioritize deployment. For devices where patching is delayed, enforce strict network access controls, disable unnecessary user accounts, and implement enhanced logging and alerting on authentication and process activity.
What's the difference between this and an unauthenticated remote code execution?
This vulnerability requires valid user credentials to trigger, which is a material difference in attack surface compared to a fully unauthenticated RCE. However, in environments where user credentials are compromised, shared across teams, or poorly managed, this distinction is largely academic. Treat it with similar urgency to unauthenticated RCE if your organization cannot guarantee strong credential hygiene.
What should I do if I cannot patch immediately?
Implement layered compensating controls: (1) restrict network access to gateway management interfaces using firewalls, VLANs, or air-gapping; (2) enforce multi-factor authentication for user accounts; (3) disable unnecessary user accounts and apply principle of least privilege; (4) enable detailed logging and monitoring for authentication and suspicious process execution; (5) establish a remediation timeline with MBS Solutions and your IT leadership; (6) perform regular vulnerability rescans to confirm controls are in place.
This analysis is based on vulnerability data published as of 2026-07-03 and does not constitute a guarantee of patch availability, exploit details, or remediation effectiveness. Organizations must verify all patch versions, product applicability, and remediation steps directly with MBS Solutions security advisories and their own technical teams. SEC.co assumes no liability for decisions made based on this intelligence. This content is for informational purposes and should inform but not replace organizations' own risk assessment and incident response procedures. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-35083HIGHMBS Solutions Gateway Stack Buffer Overflow (CVSS 8.8)
- CVE-2026-35084HIGHStack Buffer Overflow in MBS Solutions DALI-DevConfig – Root Privilege Escalation
- CVE-2018-25383HIGHFree MP3 CD Ripper 2.8 Stack Overflow – ROP and DEP Bypass Risk
- CVE-2026-10062HIGHTRENDnet TEW-432BRP Stack Overflow – EOL Hardware Risk
- CVE-2026-10063HIGHTRENDnet TEW-432BRP Stack Overflow – End-of-Life Router Vulnerability
- CVE-2026-10065HIGHShibby Tomato 1.28 Stack Buffer Overflow in tomatodata.cgi
- CVE-2026-10066HIGHShibby Tomato Stack Buffer Overflow in UPS Service (RCE)
- CVE-2026-10067HIGHShibby Tomato 1.28 Stack Buffer Overflow in multimon.cgi