HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-35076Published Modified CNA CERTVDE

CVE-2026-35076: Arbitrary file delete vulnerability in method bac-scanresult

The bac-scanresult method allows a remote attacker with user privileges to delete arbitrary local files due to insufficient validation of user-controlled input.

Metrics

CVSS v4.0
7.2
Severity
HIGH
Fixed in
V6_0_0_7
Affected Products
18

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An arbitrary file deletion vulnerability exists in the bac-scanresult method across multiple MBS device variants (Single-A, Double-A Profibus, Double-A x-link, Single-X, Double-X CAN, Double-X DALI, Double-X KNX, and Double-X LON) running firmware versions prior to V6_0_0_7. A remote attacker with low-privilege user credentials can send a crafted request over the network to delete arbitrary files on the local filesystem, bypassing any validation of the supplied file path. Successful exploitation disrupts service availability and enables targeted data destruction. A patched-image rebuild at V6_0_0_7 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-35076 is available across every HarborGuard environment; the CVE is ingested from upstream feeds (including CERTVDE advisories) within minutes of publication and matched against all customer images, including custom-built images containing affected MBS firmware. Affected image layers are flagged in both registry scans and CI/CD pipeline checks.

Available
Triage

HarborGuard scores this CVE at 7.2 HIGH using the published CVSS v4.0 vector and weights findings against each customer organization's compliance policy to determine urgency and routing. Triage results are delivered to the appropriate team inbox within each customer org based on configured ownership rules.

Available
Patch

A patched-image rebuild at firmware version V6_0_0_7 is available on HarborGuard for any environment running an affected MBS variant below that version. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the bac-scanresult endpoint over the network; the CVSS vector specifies AV:N, meaning no local or physical access is needed.

  • AuthenticationRequired

    A low-privilege user account is sufficient; the CVSS vector specifies PR:L, so no administrative credentials are required but unauthenticated access alone is not enough.

  • Victim interactionNot required

    No victim action is needed; the attacker triggers the vulnerability directly without any social engineering or user participation (UI:N).

  • Attack complexityDetail

    Attack complexity is low (AC:L), meaning the exploit is reliable and requires no special timing, race conditions, or particular environmental configuration.

Blast Radius

  • Deletes arbitrary files on the host filesystem, including configuration files, runtime data, or security-relevant assets.
  • Crashes or permanently disables the affected MBS device by removing files the service depends on to operate (VA:H).
  • Overwrites or erases persisted operational data, breaking integrations that rely on scan result records (VI:H).
  • Confidentiality of data stored on the device is not directly exposed by this vulnerability (VC:N), but deleted files are unrecoverable without a backup.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-35076 is active across customer environments scanning MBS device images, covering all affected product lines from V1_0_0_0 up to the fix boundary at V6_0_0_7. A patched-image rebuild at V6_0_0_7 is available for any environment where an affected image is present. For customers who opt into auto-remediation, HarborGuard rebuilds the image, executes regression tests, and opens a pull request against affected workloads, with a median time from CVE publication to merged patch PR of approximately 90 minutes for high-severity issues. Where compliance policy restricts auto-remediation, the finding is surfaced with fix-version detail and severity weighting so engineering teams can act manually. Until a rebuild is deployed, compensating controls worth considering include network-policy rules that restrict access to the bac-scanresult endpoint to known trusted IP ranges, and egress filtering to limit blast radius if a compromise occurs.

See how HarborGuard automates this

Fix available

V6_0_0_7
Affected packages
  • MBS / Single-A
    < V6_0_0_7 (from V1_0_0_0)
  • MBS / Double-A Profibus
    < V6_0_0_7 (from V1_0_0_0)
  • MBS / Double-A x-link
    < V6_0_0_7 (from V1_0_0_0)
  • MBS / Single-X
    < V6_0_0_7 (from V1_0_0_0)
  • MBS / Double-X CAN
    < V6_0_0_7 (from V1_0_0_0)
  • MBS / Double-X DALI
    < V6_0_0_7 (from V1_0_0_0)
  • MBS / Double-X KNX
    < V6_0_0_7 (from V1_0_0_0)
  • MBS / Double-X LON
    < V6_0_0_7 (from V1_0_0_0)
  • MBS / Double-X M-Bus
    < V6_0_0_7 (from V1_0_0_0)
  • MBS / Double-X PROFINET
    < V6_0_0_7 (from V1_0_0_0)
  • MBS / Double-X x-link
    < V6_0_0_7 (from V1_0_0_0)
  • MBS / Triple-X KNX+DALI
    < V6_0_0_7 (from V1_0_0_0)
  • MBS / Triple-X KNX+LON
    < V6_0_0_7 (from V1_0_0_0)
  • MBS / Triple-X KNX+M-Bus
    < V6_0_0_7 (from V1_0_0_0)
  • MBS / Triple-X PROFINET+DALI
    < V6_0_0_7 (from V1_0_0_0)
  • MBS / Triple-X PROFINET+KNX
    < V6_0_0_7 (from V1_0_0_0)
  • MBS / Triple-X PROFINET+LON
    < V6_0_0_7 (from V1_0_0_0)
  • MBS / Triple-X PROFINET+M-Bus
    < V6_0_0_7 (from V1_0_0_0)
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N
References