External risk intelligence

Unauthenticated Remote Attacker Recovers Default Password from MBS Solutions Firmware

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-35075

The affected products are gateways, which are specifically designed to act as internet-facing or network-edge devices that bridge different industrial communication protocols. These devices are intended to be accessible for management and routing purposes, making their surface inherently public-facing or externally reachable in common deployment scenarios.

Mbs Solutions Universal Gateway Firmware

before 6_00_07

Halo Surface Signal: 5 out of 5 — more likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability allows unauthenticated attackers to access devices by recovering a default hardcoded password from firmware. This could grant them full control over affected devices, impacting systems that rely on these gateways for communication and management. The main concern is confirming relevance and exposure.

  • Default passwords expose device access.
  • Protects against unauthorized full device control.
  • Assess device relevance and exposure.

Attack Path

How an attacker could exploit the issue

An attacker can remotely access a device's firmware image to extract a hardcoded password. This password can then be used to gain complete control over the device, enabling further malicious actions.

  • No authentication required.
  • Firmware image access and parsing.
  • Full device access and control.

Live Threat

Current exploitation, exposure, and threat context

An unauthenticated attacker can recover a default, hard-coded password from a device's firmware image, granting them full access to all affected devices. This could lead to a compromise of device configurations and potentially the systems they are connected to.

  • Device configurations and control.
  • Recovering password from firmware image.
  • Unauthorized system access and control.

Operational Fix

Recommended remediation, mitigation, and detection steps

This critical vulnerability, allowing unauthenticated remote attackers to recover hardcoded default passwords and gain full device access, requires immediate attention. Infrastructure or platform teams responsible for these mbs-solutions gateways should lead the effort. The first practical step involves identifying all deployed instances, assessing their network exposure and business criticality, and locating the accountable owner for each device or group of devices. Remediation planning should then prioritize the most exposed and critical assets, coordinating with the vendor and planning for necessary maintenance windows or temporary risk reduction measures.

  • Infrastructure or platform teams own the issue.
  • Verify device exposure and criticality first.
  • Plan vendor-coordinated remediation actions.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is the mbs-solutions universal_gateway_firmware?

This firmware runs on various industrial gateways designed to bridge communication between different protocols, such as KNX, Profinet, and M-Bus. These devices serve as essential translators in building and industrial automation systems, allowing diverse equipment to exchange data. Because they unify multiple network standards, they function as central communication hubs that manage connectivity for the systems they support.

What is the vulnerability class for CVE-2026-35075?

This issue falls under CWE-1393, which concerns the use of hard-coded credentials. In this specific case, the software contains a default password embedded directly within the firmware image. Because this secret is fixed and built into the product, an attacker who obtains the firmware can extract it to bypass security controls, effectively gaining full administrative access to the gateway without ever needing a legitimate user account.

How does an attacker trigger this vulnerability?

An attacker needs to gain access to the device's firmware image to extract the hard-coded password. Once retrieved, this password can be used to authenticate remotely and gain full control over the gateway. It is important to note that simply connecting to the device is not the trigger itself; the vulnerability relies on the attacker successfully locating and parsing the firmware file to reveal the underlying credential.

Is my device at risk if it is behind a firewall?

Halo Surface Signal notes that these gateways are often designed to be internet-facing or positioned at the network edge to bridge protocols. If your gateway is reachable from the public internet, it faces a higher level of risk. Even if your device is currently behind a firewall, you should treat this as a high-priority issue because any misconfiguration or future network change could expose the device to remote, unauthenticated access.

How should I respond to this threat?

Begin by creating an inventory of all MBS Solutions gateways in your environment to determine which are running firmware versions prior to 6.00.07. After identifying affected assets, assess their network connectivity and the criticality of the systems they manage. Coordinate with your infrastructure teams to prioritize these devices for vendor-supplied updates and plan for maintenance windows to implement the necessary security patches.

References