CVE-2026-35080: Arbitrary file delete vulnerability in method ugw-restoreinfo
The ugw-restoreinfo method allows a remote attacker with user privileges to delete arbitrary local files due to insufficient validation of user-controlled input.
Metrics
- CVSS v4.0
- 7.2
- Severity
- HIGH
- Fixed in
- V6_0_0_7
- Affected Products
- 18
HarborGuard Analysis
Synopsis
An arbitrary file deletion vulnerability affects the ugw-restoreinfo method in multiple MBS device firmware variants (Single-A, Double-A Profibus, Double-A x-link, Single-X, Double-X CAN, Double-X DALI, Double-X KNX, and Double-X LON), all versions prior to V6_0_0_7. A remote attacker with low-privilege user credentials can send crafted input to the ugw-restoreinfo method over the network, bypassing input validation to delete arbitrary files on the local filesystem. Successful exploitation lets an attacker corrupt or destroy critical system files, disrupting service availability, or tamper with configuration and operational data. A patched-image rebuild at V6_0_0_7 is available on HarborGuard for affected environments.
HarborGuard Coverage
Detection of CVE-2026-35080 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built images derived from affected MBS firmware base layers. Any image carrying a pre-V6_0_0_7 version of the affected MBS firmware is flagged automatically.
AvailableHarborGuard surfaces this CVE with its CVSS v4.0 score of 7.2 (HIGH) and applies per-environment compliance policy weighting to prioritize it appropriately within each customer organization. Triage findings are routed to the team inbox or ticketing integration configured for the affected environment, so the right engineers see the alert without manual filtering.
AvailableA patched-image rebuild pinned to fix version V6_0_0_7 is available on HarborGuard for any environment running an affected MBS firmware version. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite against the new image, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker must reach the ugw-restoreinfo service over the network (AV:N); the device must be accessible from the attacker's network position.
- AuthenticationRequired
A low-privilege user account is sufficient to exploit this vulnerability; no administrative or elevated credentials are needed (PR:L).
- Victim interactionNot required
No victim interaction is required; the attacker sends the malicious request directly without any user action (UI:N).
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special environmental conditions, race conditions, or memory-layout dependencies (AC:L).
Blast Radius
- Deletes arbitrary files on the local filesystem of the affected MBS device, including configuration files, operational data, or system binaries.
- Destruction of critical system files can crash or render the affected device permanently inoperable until it is re-imaged or restored (VA:H).
- Deletion of configuration or firmware components corrupts the integrity of the device's operational state, enabling persistent disruption of connected industrial or building-automation processes (VI:H).
- No confidentiality impact is indicated; the exploit does not expose stored data to the attacker (VC:N).
How HarborGuard Handles This
Available on HarborGuard: images containing affected MBS firmware versions (all variants prior to V6_0_0_7) are detected automatically at ingest, scored at CVSS 7.2 HIGH, and surfaced in the relevant team's queue. Where compliance policy permits, a rebuilt image at V6_0_0_7 is staged and a regression run is triggered; for customers who opt into auto-remediation, a pull request is opened against affected workloads with a median turnaround of roughly 90 minutes for high-severity issues. For environments where an immediate upgrade is not yet feasible, compensating controls worth considering include network-policy isolation to restrict which hosts can reach the ugw-restoreinfo endpoint, egress filtering on devices running affected firmware, and feature-flag or ACL gating on the restoreinfo method if the firmware exposes that option. HarborGuard continues re-checking the advisory each ingest cycle to confirm fix version availability and update image match status as customer environments are remediated.
Fix available
- MBS / Single-A< V6_0_0_7 (from V1_0_0_0)
- MBS / Double-A Profibus< V6_0_0_7 (from V1_0_0_0)
- MBS / Double-A x-link< V6_0_0_7 (from V1_0_0_0)
- MBS / Single-X< V6_0_0_7 (from V1_0_0_0)
- MBS / Double-X CAN< V6_0_0_7 (from V1_0_0_0)
- MBS / Double-X DALI< V6_0_0_7 (from V1_0_0_0)
- MBS / Double-X KNX< V6_0_0_7 (from V1_0_0_0)
- MBS / Double-X LON< V6_0_0_7 (from V1_0_0_0)
- MBS / Double-X M-Bus< V6_0_0_7 (from V1_0_0_0)
- MBS / Double-X PROFINET< V6_0_0_7 (from V1_0_0_0)
- MBS / Double-X x-link< V6_0_0_7 (from V1_0_0_0)
- MBS / Triple-X KNX+DALI< V6_0_0_7 (from V1_0_0_0)
- MBS / Triple-X KNX+LON< V6_0_0_7 (from V1_0_0_0)
- MBS / Triple-X KNX+M-Bus< V6_0_0_7 (from V1_0_0_0)
- MBS / Triple-X PROFINET+DALI< V6_0_0_7 (from V1_0_0_0)
- MBS / Triple-X PROFINET+KNX< V6_0_0_7 (from V1_0_0_0)
- MBS / Triple-X PROFINET+LON< V6_0_0_7 (from V1_0_0_0)
- MBS / Triple-X PROFINET+M-Bus< V6_0_0_7 (from V1_0_0_0)
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N