HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-35078Published Modified CNA CERTVDE

CVE-2026-35078: Arbitrary file delete vulnerability in method ugw-logstop

The ugw-logstop method allows a remote attacker with user privileges to delete arbitrary local files due to insufficient validation of user-controlled input.

Metrics

CVSS v4.0
7.2
Severity
HIGH
Fixed in
V6_0_0_7
Affected Products
18

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An arbitrary file deletion vulnerability exists in the ugw-logstop method across multiple MBS gateway device variants. A remote attacker with low-privilege user credentials can reach the affected endpoint over the network and pass unsanitized input to delete arbitrary files on the local filesystem. Successful exploitation disrupts service availability and allows tampering with stored data, including configuration or log files. A patched-image rebuild at V6_0_0_7 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: the CVE is ingested from upstream feeds including CERTVDE within minutes of publication and matched against customer images and pipeline builds, including custom-built images derived from affected MBS firmware bases.

Available
Triage

HarborGuard is capable of scoring this finding at CVSS 7.2 HIGH and weighting it against each environment's compliance policy to determine urgency; findings are routed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available
Patch

A patched-image rebuild at V6_0_0_7 becomes available on HarborGuard for any environment where an affected version is detected. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a PR against affected workloads.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the ugw-logstop endpoint over the network; the service must be exposed to the attacker's network segment.

  • AuthenticationRequired

    A low-privilege user account is sufficient; no administrative or elevated credentials are needed beyond basic login access.

  • Victim interactionNot required

    No action from any other user or victim is required to trigger the vulnerability.

  • Attack complexityDetail

    The exploit is reliable and condition-free; no race conditions, specific memory layout, or other environmental factors need to align.

Blast Radius

  • Attacker deletes arbitrary files on the device filesystem, including configuration files, certificates, or runtime state.
  • Deletion of critical files crashes or permanently disables the affected gateway service, causing a loss of availability.
  • Persistent disruption is possible if system or recovery files are removed, potentially requiring physical intervention to restore the device.
  • Data stored locally on the device, such as logs or operational records, can be irreversibly destroyed.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-35078 is active across all environments scanning MBS-based images, with the CVE matched against affected versions from V1_0_0_0 through any release prior to V6_0_0_7. Where compliance policy permits, a rebuilt image at the fixed version V6_0_0_7 can be generated automatically; for customers with auto-remediation enabled, HarborGuard performs the rebuild, executes a regression test run, and opens a PR against affected workloads. The median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. For environments where an immediate rebuild is not possible due to policy or hardware constraints, compensating controls to consider include network-policy isolation of the gateway management interface, egress filtering to restrict unauthorized lateral access, and auditing local file-access permissions to limit the blast radius of any deletion attempt.

See how HarborGuard automates this

Fix available

V6_0_0_7
Affected packages
  • MBS / Single-A
    < V6_0_0_7 (from V1_0_0_0)
  • MBS / Double-A Profibus
    < V6_0_0_7 (from V1_0_0_0)
  • MBS / Double-A x-link
    < V6_0_0_7 (from V1_0_0_0)
  • MBS / Single-X
    < V6_0_0_7 (from V1_0_0_0)
  • MBS / Double-X CAN
    < V6_0_0_7 (from V1_0_0_0)
  • MBS / Double-X DALI
    < V6_0_0_7 (from V1_0_0_0)
  • MBS / Double-X KNX
    < V6_0_0_7 (from V1_0_0_0)
  • MBS / Double-X LON
    < V6_0_0_7 (from V1_0_0_0)
  • MBS / Double-X M-Bus
    < V6_0_0_7 (from V1_0_0_0)
  • MBS / Double-X PROFINET
    < V6_0_0_7 (from V1_0_0_0)
  • MBS / Double-X x-link
    < V6_0_0_7 (from V1_0_0_0)
  • MBS / Triple-X KNX+DALI
    < V6_0_0_7 (from V1_0_0_0)
  • MBS / Triple-X KNX+LON
    < V6_0_0_7 (from V1_0_0_0)
  • MBS / Triple-X KNX+M-Bus
    < V6_0_0_7 (from V1_0_0_0)
  • MBS / Triple-X PROFINET+DALI
    < V6_0_0_7 (from V1_0_0_0)
  • MBS / Triple-X PROFINET+KNX
    < V6_0_0_7 (from V1_0_0_0)
  • MBS / Triple-X PROFINET+LON
    < V6_0_0_7 (from V1_0_0_0)
  • MBS / Triple-X PROFINET+M-Bus
    < V6_0_0_7 (from V1_0_0_0)
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N
References