CVE-2026-35080— Arbitrary file delete vulnerability in method ugw-restoreinfo

CVSS 8.1 · High EPSS 0.36% · P28 Updated Jun 13, 2026

Possible ATT&CK Techniques 2AI

T1068 · Exploitation for Privilege Escalation T1565 · Data Manipulation

Affected Version Matrix 18

Vendor	Product	Version Range	Status
MBS	Double-A Profibus	`V1_0_0_0< V6_0_0_7`	affected
MBS	Double-A x-link	`V1_0_0_0< V6_0_0_7`	affected
MBS	Double-X CAN	`V1_0_0_0< V6_0_0_7`	affected
MBS	Double-X DALI	`V1_0_0_0< V6_0_0_7`	affected
MBS	Double-X KNX	`V1_0_0_0< V6_0_0_7`	affected
MBS	Double-X LON	`V1_0_0_0< V6_0_0_7`	affected
MBS	Double-X M-Bus	`V1_0_0_0< V6_0_0_7`	affected
MBS	Double-X PROFINET	`V1_0_0_0< V6_0_0_7`	affected
MBS	Double-X x-link	`V1_0_0_0< V6_0_0_7`	affected
MBS	Single-A	`V1_0_0_0< V6_0_0_7`	affected
MBS	Single-X	`V1_0_0_0< V6_0_0_7`	affected
MBS	Triple-X KNX+DALI	`V1_0_0_0< V6_0_0_7`	affected
MBS	Triple-X KNX+LON	`V1_0_0_0< V6_0_0_7`	affected
MBS	Triple-X KNX+M-Bus	`V1_0_0_0< V6_0_0_7`	affected
MBS	Triple-X PROFINET+DALI	`V1_0_0_0< V6_0_0_7`	affected
MBS	Triple-X PROFINET+KNX	`V1_0_0_0< V6_0_0_7`	affected
MBS	Triple-X PROFINET+LON	`V1_0_0_0< V6_0_0_7`	affected
MBS	Triple-X PROFINET+M-Bus	`V1_0_0_0< V6_0_0_7`	affected

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-35080

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

Arbitrary file delete vulnerability in method ugw-restoreinfo

Source: NVD (National Vulnerability Database)

Vulnerability Description

The ugw-restoreinfo method allows a remote attacker with user privileges to delete arbitrary local files due to insufficient validation of user-controlled input.

Source: NVD (National Vulnerability Database)

CVSS Information

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Source: NVD (National Vulnerability Database)

Vulnerability Type

文件名或路径的外部可控制

Source: NVD (National Vulnerability Database)

Vulnerability Title

MBS多款产品安全漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

MBS Single-A等都是德国MBS公司的一系列工业通信网关。 MBS多款产品存在安全漏洞，该漏洞源于ugw-restoreinfo方法对用户控制输入验证不足，可能导致远程攻击者删除任意本地文件。以下产品受到影响：Single-A、Double-A Profibus、Double-A x-link和Single-X。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Affected Products

Vendor	Product	Affected Versions	CPE
MBS	Single-A	V1_0_0_0 ~ V6_0_0_7	-
MBS	Double-A Profibus	V1_0_0_0 ~ V6_0_0_7	-
MBS	Double-A x-link	V1_0_0_0 ~ V6_0_0_7	-
MBS	Single-X	V1_0_0_0 ~ V6_0_0_7	-
MBS	Double-X CAN	V1_0_0_0 ~ V6_0_0_7	-
MBS	Double-X DALI	V1_0_0_0 ~ V6_0_0_7	-
MBS	Double-X KNX	V1_0_0_0 ~ V6_0_0_7	-
MBS	Double-X LON	V1_0_0_0 ~ V6_0_0_7	-
MBS	Double-X M-Bus	V1_0_0_0 ~ V6_0_0_7	-
MBS	Double-X PROFINET	V1_0_0_0 ~ V6_0_0_7	-
MBS	Double-X x-link	V1_0_0_0 ~ V6_0_0_7	-
MBS	Triple-X KNX+DALI	V1_0_0_0 ~ V6_0_0_7	-
MBS	Triple-X KNX+LON	V1_0_0_0 ~ V6_0_0_7	-
MBS	Triple-X KNX+M-Bus	V1_0_0_0 ~ V6_0_0_7	-
MBS	Triple-X PROFINET+DALI	V1_0_0_0 ~ V6_0_0_7	-
MBS	Triple-X PROFINET+KNX	V1_0_0_0 ~ V6_0_0_7	-
MBS	Triple-X PROFINET+LON	V1_0_0_0 ~ V6_0_0_7	-
MBS	Triple-X PROFINET+M-Bus	V1_0_0_0 ~ V6_0_0_7	-

II. Public POCs for CVE-2026-35080

#	POC Description	Source Link	Shenlong Link

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2026-35080

请登录查看更多情报信息。

Vendor Advisories for CVE-2026-35080 (1)

🔗 MBS: Several security vulnerabilities in the UGW web GUI Read full article

https://nvd.nist.gov/vuln/detail/CVE-2026-35080

Same Patch Batch · MBS · 2026-06-03 · 11 CVEs total

CVE-2026-35075	9.8 CRITICAL	Hardcoded default Password for Service Account
CVE-2026-35085	8.8 HIGH	Stack buffer overflow in method gdv-serverconfig
CVE-2026-35084	8.8 HIGH	Stack buffer overflow in method dali-devconfig
CVE-2026-35083	8.8 HIGH	Stack buffer overflow in method bac-deviceobject
CVE-2026-35082	8.8 HIGH	Local file inclusion vulnerability and deletion in ugw-logread method
CVE-2026-35081	8.1 HIGH	Arbitrary process termination vulnerability in method ugw-logstop
CVE-2026-35079	8.1 HIGH	Arbitrary file delete vulnerability in method ugw-restore
CVE-2026-35078	8.1 HIGH	Arbitrary file delete vulnerability in method ugw-logstop
CVE-2026-35077	8.1 HIGH	Arbitrary file delete vulnerability in method ugw-delete-file
CVE-2026-35076	8.1 HIGH	Arbitrary file delete vulnerability in method bac-scanresult

IV. Related Vulnerabilities

Same product: Single-A

Same vendor: MBS

Same weakness: CWE-73

V. Comments for CVE-2026-35080

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2026-35080— Arbitrary file delete vulnerability in method ugw-restoreinfo

Possible ATT&CK Techniques 2AI

Affected Version Matrix 18

I. Basic Information for CVE-2026-35080

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Affected Products

II. Public POCs for CVE-2026-35080

III. Intelligence Information for CVE-2026-35080

Vendor Advisories for CVE-2026-35080 (1)

Same Patch Batch · MBS · 2026-06-03 · 11 CVEs total

IV. Related Vulnerabilities

V. Comments for CVE-2026-35080

Leave a comment