Introduction
A single hardcoded password, baked into firmware and shared across 18 building automation gateway models, is all it takes for an unauthenticated remote attacker to gain full control of every affected MBS Universal Gateway on the network. CVE-2026-35075, disclosed on June 3, 2026 with a CVSS v3.x score of 9.8, is the crown jewel of an 11 vulnerability advisory that collectively exposes the entire MBS UGW product line to remote compromise, privilege escalation to root, arbitrary file access, and service disruption.
MBS GmbH is a German company with more than 30 years of history in industrial and building automation, specializing in protocol translation gateways that bridge communication between systems using BACnet, KNX, DALI, LON, M-Bus, PROFINET, and Profibus. The company is a partner in the Bosch Rexroth ctrlX AUTOMATION ecosystem, and its Universal Gateways are deployed in building management environments where they serve as critical communication bridges between disparate automation protocols. A compromised gateway in this context does not just affect a single device; it potentially provides a pivot point into the broader building automation network controlling HVAC, lighting, energy metering, and access control systems.
Technical Information
Root Cause: Hardcoded Default Password in Firmware
CVE-2026-35075 is classified under CWE-1393 (Use of Default Password), with close relationships to CWE-798 (Use of Hard-coded Credentials) and CWE-259 (Use of Hard-coded Password). The NVD description states explicitly that "an unauthenticated remote attacker can recover a default, hard coded password from a firmware image and thus gain full access to all affected devices." The critical word here is "all": the MBS Universal Gateway product line is built on a common software platform with a central data point manager and software based protocol processing. This shared architecture means the same hardcoded credential exists in every firmware image across all 18 affected models.
CWE-1393 is a member of several ICS specific categories, including Category 1364 (ICS Communications: Zone Boundary Failures), Category 1366 (ICS Communications: Frail Security in Protocols), Category 1368 (ICS Dependencies: External Digital Systems), and Category 1376 (ICS Engineering: Security Gaps in Commissioning). Its presence in these categories reflects how deeply this class of weakness is embedded in the OT/ICS security landscape.
CVSS v4.0 Vector Analysis
The CVSS v4.0 vector string is CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N, yielding a score of 9.3 (CRITICAL). Breaking this down:
| Metric | Value | Implication |
|---|---|---|
| Attack Vector (AV) | Network | Exploitable remotely |
| Attack Complexity (AC) | Low | No specialized conditions required |
| Attack Requirements (AT) | None | No preparatory steps needed |
| Privileges Required (PR) | None | No authentication needed |
| User Interaction (UI) | None | No victim action required |
| Confidentiality Impact (VC) | High | Complete information disclosure |
| Integrity Impact (VI) | High | Complete system modification |
| Availability Impact (VA) | High | Complete service disruption |
Every metric is at its worst case value for the attacker. There are no mitigating factors in the vector itself.
Attack Flow
The exploitation of CVE-2026-35075 follows a predictable sequence:
-
Firmware acquisition: The attacker obtains a firmware image for any affected MBS UGW device. Firmware images are typically available from vendor download portals or can be captured during update processes.
-
Credential extraction: The attacker performs static analysis on the firmware binary to locate and extract the hardcoded default password. As the CWE-1393 documentation notes, "many lists of default passwords and default password scanning tools [are] readily available on the World Wide Web."
-
Authentication: The attacker uses the extracted credential to authenticate to the UGW web GUI of any deployed device running firmware prior to V6_0_0_7. Because the password is identical across all product instances, a single extraction compromises the entire fleet.
-
Post exploitation via companion vulnerabilities: Once authenticated with user level privileges, the attacker can chain the remaining 10 CVEs in advisory VDE-2026-039 for escalation and lateral movement.
The Full Attack Chain: 11 CVEs in VDE-2026-039
CVE-2026-35075 is the only vulnerability in the advisory that requires no authentication. It serves as the initial access vector, after which the remaining vulnerabilities become exploitable:
| CVE ID | CVSS | CWE | Description |
|---|---|---|---|
| CVE-2026-35075 | 9.8 | CWE-1393 | Hardcoded default password recovery from firmware |
| CVE-2026-35085 | 8.8 | CWE-121 | Stack based buffer overflow in gdv-serverconfig granting root access |
| CVE-2026-35084 | 8.8 | CWE-121 | Stack based buffer overflow in dali-devconfig granting root access |
| CVE-2026-35083 | 8.8 | CWE-121 | Stack based buffer overflow granting root access |
| CVE-2026-35082 | 8.8 | CWE-22 | Path traversal via ugw-logread for arbitrary file access |
| CVE-2026-35081 | 8.1 | CWE-20 | Improper input validation via ugw-logstop for arbitrary process termination |
| CVE-2026-35080 | 8.1 | CWE-73 | External control of file name/path via ugw-restoreinfo for arbitrary file deletion |
| CVE-2026-35079 | 8.1 | CWE-73 | External control of file name/path via ugw-restore for arbitrary file deletion |
| CVE-2026-35078 | 8.1 | CWE-73 | External control of file name/path via ugw-logstop for arbitrary file deletion |
| CVE-2026-35077 | 8.1 | CWE-73 | External control of file name/path via ugw-delete-file for arbitrary file deletion |
| CVE-2026-35076 | 8.1 | CWE-73 | External control of file name/path via bac-scanresult for arbitrary file deletion |
The three stack based buffer overflows are particularly significant because they provide privilege escalation to root, giving the attacker complete control over the underlying operating system. Combined with the path traversal for arbitrary file reads and the five file deletion vulnerabilities, an attacker who starts with CVE-2026-35075 can achieve full system compromise: read any file, execute arbitrary code as root, delete critical system files, and terminate running processes.
Affected Systems and Versions
All affected products are MBS Universal Gateways running firmware versions prior to V6_0_0_7. The advisory covers 18 distinct models across two product series:
UGW-A-Series:
- Double-A Profibus
- Double-A x-link
- Single-A
UGW-X-Series (Single Protocol):
- Double-X CAN
- Double-X DALI
- Double-X KNX
- Double-X LON
- Double-X M-Bus
- Double-X PROFINET
- Double-X x-link
UGW-X-Series (Multi Protocol):
- Triple-X KNX+DALI
- Triple-X KNX+LON
- Triple-X KNX+M-Bus
- Triple-X PROFINET+DALI
- Triple-X PROFINET+KNX
- Triple-X PROFINET+LON
- Triple-X PROFINET+M-Bus
These gateways connect devices using various digital communication protocols within building automation, including BACnet, KNX, DALI, LON, M-Bus, PROFINET, and Profibus. The shared software platform architecture means the hardcoded password vulnerability is systemic across the entire product line rather than isolated to specific models.
Vendor Security History
This appears to be the first publicly disclosed security advisory against MBS GmbH products through the CERT@VDE coordination process. The vulnerabilities were reported by Adrien Rey from Cyber Defense Campus Zurich and Daniel Hulliger from Armasuisse, the Swiss federal competence center for cybersecurity and defense technology. The involvement of defense sector researchers suggests these devices may be deployed in environments of national security interest.
The CVE was assigned by CERT@VDE, which became Germany's first Root CNA (CVE Numbering Authority) on July 25, 2025, making it the central point of contact in the global CVE program for its industrial automation partners. The fact that an industrial focused CNA is handling this disclosure reinforces the OT/ICS significance of these vulnerabilities.
The sheer number of vulnerabilities disclosed simultaneously (11 CVEs spanning hardcoded credentials, buffer overflows, path traversal, improper input validation, and external control of file paths) suggests that the UGW web GUI had not previously undergone rigorous security review. The diversity of weakness types indicates systemic secure development gaps rather than an isolated coding error.
Mitigation
The primary remediation is to update affected products to firmware version V6_0_0_7, available at en.mbs-solutions.de/firmwareupdate. This update addresses all 11 CVEs in the advisory simultaneously.
For organizations unable to immediately apply the firmware update, the MITRE CWE-1393 documentation prescribes mitigations at four phases with varying effectiveness:
| Phase | Mitigation | Effectiveness |
|---|---|---|
| Requirements | Prohibit use of default, hardcoded, or other values that do not vary per installation | High |
| Architecture and Design | Force the administrator to change the credential upon installation | High |
| Installation/Operation | Change defaults upon installation or during operation | Moderate |
| Documentation | Emphasize the presence of default passwords and provide steps to change them | Limited |
Practical compensating controls for deployed systems include:
- Network segmentation: Isolate MBS UGW devices on dedicated network segments with restricted access. The attack vector is network based and requires no authentication, so limiting network reachability is the most effective compensating control.
- Credential rotation: If the firmware allows administrators to change the default password, do so immediately on all deployed devices.
- Authentication monitoring: Deploy network monitoring to detect authentication attempts using known default credentials against UGW web GUI interfaces.
Threat Intelligence Context
As of June 3, 2026, there is no evidence of active exploitation in the wild for CVE-2026-35075. The CVE does not appear on CISA's Known Exploited Vulnerabilities (KEV) Catalog. However, the publication date is the same day as this analysis, and exploitation status could change rapidly.
Default password vulnerabilities of this type have a well documented history of rapid exploitation once credentials become known. The OT:ICEFALL study (2022) examined products from 10 OT vendors, reported 56 vulnerabilities, and concluded that products were "insecure by design," with multiple OT products found to use default credentials. Research by Forescout on building automation system vulnerabilities found that "default passwords, hardcoded credentials, and single factor authentication are still common" in smart building deployments, and that "attackers can find exposed systems through public" search tools and default credential lists.
The risk of near term exploitation is elevated based on several converging factors: the password is extractable through static analysis of any firmware binary; the attack requires no authentication and is network accessible; the product family is used in building automation where devices are often internet exposed for remote management; default password extraction is trivially automatable using existing scanning tools; and the companion vulnerabilities provide a complete attack chain from initial access to full root level control.
No specific threat actor attribution is available at the time of publication.
References
- NVD: CVE-2026-35075
- CERT@VDE Advisory VDE-2026-039: MBS Several Security Vulnerabilities in the UGW Web GUI
- CWE-1393: Use of Default Password
- CWE-798: Use of Hard-coded Credentials
- CWE-259: Use of Hard-coded Password
- CWE-1392: Use of Default Credentials
- CERT@VDE becomes Germany's first Root CNA
- MBS GmbH
- MBS Universal Gateways Overview
- MBS GmbH in ctrlX AUTOMATION Ecosystem
- Forescout: Discovering and Defending Against Vulnerabilities in Building Automation Systems
- Smart Buildings Cybersecurity Risks
- CISA Known Exploited Vulnerabilities Catalog
- CERT@VDE Dashboard



