CVE-2026-35079: Arbitrary file delete vulnerability in method ugw-restore

Synopsis

An arbitrary file deletion vulnerability affects the ugw-restore method in multiple MBS gateway device variants (Single-A, Double-A Profibus, Double-A x-link, Single-X, Double-X CAN, Double-X DALI, Double-X KNX, and Double-X LON) running firmware versions prior to V6_0_0_7. The flaw is reachable over the network by any authenticated user with low-privilege credentials, requiring no interaction from another user or administrator. Successful exploitation lets an attacker delete arbitrary files on the local filesystem, which can corrupt device configuration, destroy stored data, or bring down the affected service. A patched-image rebuild at V6_0_0_7 is available on HarborGuard for affected environments.

HarborGuard Coverage

Exploit Conditions

• Network reachabilityRequired

  The attacker must reach the ugw-restore endpoint over the network; the service must be exposed to the attacker's network segment.

• AuthenticationRequired

  Any low-privilege user account is sufficient; no administrative or elevated permissions are needed beyond basic authenticated access.

• Victim interactionNot required

  The attacker can trigger the vulnerability directly without any action from another user or an administrator.

• Attack complexityDetail

  The exploit is reliable and condition-free, requiring no race conditions, special memory layout, or environmental prerequisites.

Blast Radius

• An attacker can delete arbitrary files on the device filesystem, including configuration files, credentials stores, and runtime state.
• Deletion of critical system files disrupts or crashes the affected MBS gateway service, causing loss of availability for connected industrial or building-automation processes.
• Targeted deletion of configuration or firmware files can leave the device in an unrecoverable or degraded state, requiring physical intervention to restore.