HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-35077Published Modified CNA CERTVDE

CVE-2026-35077: Arbitrary file delete vulnerability in method ugw-delete-file

The ugw-delete-file method allows a remote attacker with user privileges to delete arbitrary local files due to insufficient validation of user-controlled input.

Metrics

CVSS v4.0
7.2
Severity
HIGH
Fixed in
V6_0_0_7
Affected Products
18

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An arbitrary file deletion vulnerability exists in the ugw-delete-file method across multiple MBS gateway device firmware variants. A remote attacker with standard user-level privileges can send a crafted request over the network to delete any local file on the device, due to missing or insufficient validation of the file path parameter. Successful exploitation enables an attacker to corrupt or destroy configuration and system files, disrupting device operation or rendering the device unresponsive. A patched-image rebuild at V6_0_0_7 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-35077 is available across every HarborGuard environment; the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built firmware images derived from affected MBS variants. Coverage extends to images built on any of the eight affected MBS product lines spanning versions V1_0_0_0 through V6_0_0_7.

Available
Triage

Triage is available with the full CVSS v4.0 score of 7.2 (HIGH) applied automatically, weighted against each customer environment's compliance policy to determine urgency and queue priority. Findings are routed to the appropriate team inbox within each customer organization based on configured escalation rules.

Available
Patch

A patched-image rebuild at V6_0_0_7 becomes available on HarborGuard once a customer's base image is updated to the fixed version; customers with auto-remediation enabled receive an automated rebuild, a regression-test run, and a pull request opened against affected workloads. Where compliance policy permits, this flow reduces exposure window without requiring manual intervention.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the affected device's ugw-delete-file endpoint over the network; the service must be exposed to the attacker's network segment.

  • AuthenticationRequired

    A low-privilege user account is sufficient; no administrative or elevated credentials are needed to invoke the vulnerable method.

  • Victim interactionNot required

    No user interaction is required; the attacker sends requests directly to the endpoint without any victim needing to take action.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and requires no special preconditions, race conditions, or environmental dependencies.

Blast Radius

  • Deletes arbitrary files from the local filesystem, including device configuration files, certificates, or credentials stored on disk.
  • Destroys firmware or runtime state files, leaving the device in a degraded or non-functional state.
  • Removes logging or audit trail files, erasing evidence of prior activity on the device.
  • Triggers a denial-of-service condition by deleting files critical to device operation, forcing an outage or manual recovery.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-35077 activates immediately upon ingestion of the advisory, matching all images derived from the eight affected MBS product lines. For environments running a version below V6_0_0_7, a patched-image rebuild at the fixed version is available once the upstream base image is updated. For customers with auto-remediation enabled, HarborGuard initiates a rebuild, executes a regression-test run, and opens a pull request against affected workloads; for high-severity issues, the median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where auto-remediation is not enabled due to compliance policy, the finding is surfaced in the customer dashboard with remediation guidance pointing to V6_0_0_7 as the target version. Network-policy controls (restricting access to the ugw-delete-file endpoint to trusted network segments) are available as a compensating control recommendation while upgrade scheduling is in progress.

See how HarborGuard automates this

Fix available

V6_0_0_7
Affected packages
  • MBS / Single-A
    < V6_0_0_7 (from V1_0_0_0)
  • MBS / Double-A Profibus
    < V6_0_0_7 (from V1_0_0_0)
  • MBS / Double-A x-link
    < V6_0_0_7 (from V1_0_0_0)
  • MBS / Single-X
    < V6_0_0_7 (from V1_0_0_0)
  • MBS / Double-X CAN
    < V6_0_0_7 (from V1_0_0_0)
  • MBS / Double-X DALI
    < V6_0_0_7 (from V1_0_0_0)
  • MBS / Double-X KNX
    < V6_0_0_7 (from V1_0_0_0)
  • MBS / Double-X LON
    < V6_0_0_7 (from V1_0_0_0)
  • MBS / Double-X M-Bus
    < V6_0_0_7 (from V1_0_0_0)
  • MBS / Double-X PROFINET
    < V6_0_0_7 (from V1_0_0_0)
  • MBS / Double-X x-link
    < V6_0_0_7 (from V1_0_0_0)
  • MBS / Triple-X KNX+DALI
    < V6_0_0_7 (from V1_0_0_0)
  • MBS / Triple-X KNX+LON
    < V6_0_0_7 (from V1_0_0_0)
  • MBS / Triple-X KNX+M-Bus
    < V6_0_0_7 (from V1_0_0_0)
  • MBS / Triple-X PROFINET+DALI
    < V6_0_0_7 (from V1_0_0_0)
  • MBS / Triple-X PROFINET+KNX
    < V6_0_0_7 (from V1_0_0_0)
  • MBS / Triple-X PROFINET+LON
    < V6_0_0_7 (from V1_0_0_0)
  • MBS / Triple-X PROFINET+M-Bus
    < V6_0_0_7 (from V1_0_0_0)
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N
References