CVE-2022-22520

moderate-risk

Published 2022-09-14

A remote, unauthenticated attacker can enumerate valid users by sending specific requests to the webservice of MB connect line mymbCONNECT24, mbCONNECT24 and Helmholz myREX24 and myREX24.virtual in all versions through v2.11.2.

Do I need to act?

0.30% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 5.3/10 Medium

NETWORK / LOW complexity

Affected Products (4)

Mbconnect24

Mymbconnect24

Myrex24

Myrex24.Virtual

Affected Vendors

Mbconnectline Helmholz

References (4)

Third Party Advisory https://cert.vde.com/en/advisories/VDE-2022-011

Not Applicable https://cert.vde.com/en/advisories/VDE-2022-039

Third Party Advisory https://cert.vde.com/en/advisories/VDE-2022-011

Not Applicable https://cert.vde.com/en/advisories/VDE-2022-039

/ 100

moderate-risk

Severity 21/34 · High

Exploitability 1/34 · Minimal

Exposure 10/34 · Low