HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-35082Published Modified CNA CERTVDE

CVE-2026-35082: Local file inclusion vulnerability and deletion in ugw-logread method

The ugw-logread method allows a remote attacker with user privileges to access arbitrary local files due to insufficient validation of user-supplied input.

Metrics

CVSS v4.0
8.7
Severity
HIGH
Fixed in
V6_0_0_7
Affected Products
18

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A local file inclusion and deletion vulnerability affects the ugw-logread method across multiple MBS device firmware variants. A remote attacker with low-privilege user credentials can send crafted input to the ugw-logread method over the network, bypassing path or input validation, to access or delete arbitrary files on the device. Successful exploitation gives the attacker full read access to sensitive local files, the ability to tamper with or delete persisted data, and can disrupt the availability of the affected service. A patched-image rebuild at V6_0_0_7 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-35082 is available across every HarborGuard environment; the CVE is ingested from upstream feeds including CERTVDE within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built images derived from affected MBS firmware bases.

Available
Triage

HarborGuard scores this CVE at 8.7 HIGH using the CVSS v4.0 vector and surfaces it accordingly within each customer environment, weighted against that environment's compliance policy. Triage routing directs the finding to the appropriate team inbox within the customer org based on configured ownership rules.

Available
Patch

A patched-image rebuild at V6_0_0_7 becomes available on HarborGuard for any environment where an affected MBS firmware version is detected. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a PR against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the ugw-logread service over the network; the CVSS vector specifies AV:N, meaning no local or physical access is required.

  • AuthenticationRequired

    The attacker must hold at least a low-privilege user account on the device; unauthenticated access is not sufficient to invoke the ugw-logread method.

  • Victim interactionNot required

    No action from a legitimate user or administrator is needed to trigger the vulnerability; the attacker sends crafted input directly.

  • Attack complexityDetail

    Attack complexity is low (AC:L), meaning the exploit is reliable and requires no special timing, race conditions, or environmental preconditions beyond network access and valid credentials.

Blast Radius

  • Reads arbitrary local files on the device, including configuration files, credentials, private keys, or stored log data.
  • Deletes arbitrary local files, which can corrupt device configuration or remove audit trails.
  • Disrupts availability of the affected service or device by removing files critical to normal operation.
  • Combines file read and deletion to extract sensitive data and then cover traces of the intrusion.

How HarborGuard Handles This

Available on HarborGuard: once CVE-2026-35082 is matched against an image in a customer registry or pipeline, a rebuilt image at fix version V6_0_0_7 is made available for all affected MBS firmware variants. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test, and opens a PR against affected workloads automatically; for high-severity issues the median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. For environments where auto-remediation is not enabled or compliance policy requires manual review, the finding is queued in the triage inbox with the CVSS 8.7 HIGH score and affected image list for engineer action. Where a patched base image cannot yet be deployed, compensating controls such as network-policy rules restricting access to the ugw-logread endpoint and egress filtering on the affected device segment are worth considering as interim measures.

See how HarborGuard automates this

Fix available

V6_0_0_7
Affected packages
  • MBS / Single-A
    < V6_0_0_7 (from V1_0_0_0)
  • MBS / Double-A Profibus
    < V6_0_0_7 (from V1_0_0_0)
  • MBS / Double-A x-link
    < V6_0_0_7 (from V1_0_0_0)
  • MBS / Single-X
    < V6_0_0_7 (from V1_0_0_0)
  • MBS / Double-X CAN
    < V6_0_0_7 (from V1_0_0_0)
  • MBS / Double-X DALI
    < V6_0_0_7 (from V1_0_0_0)
  • MBS / Double-X KNX
    < V6_0_0_7 (from V1_0_0_0)
  • MBS / Double-X LON
    < V6_0_0_7 (from V1_0_0_0)
  • MBS / Double-X M-Bus
    < V6_0_0_7 (from V1_0_0_0)
  • MBS / Double-X PROFINET
    < V6_0_0_7 (from V1_0_0_0)
  • MBS / Double-X x-link
    < V6_0_0_7 (from V1_0_0_0)
  • MBS / Triple-X KNX+DALI
    < V6_0_0_7 (from V1_0_0_0)
  • MBS / Triple-X KNX+LON
    < V6_0_0_7 (from V1_0_0_0)
  • MBS / Triple-X KNX+M-Bus
    < V6_0_0_7 (from V1_0_0_0)
  • MBS / Triple-X PROFINET+DALI
    < V6_0_0_7 (from V1_0_0_0)
  • MBS / Triple-X PROFINET+KNX
    < V6_0_0_7 (from V1_0_0_0)
  • MBS / Triple-X PROFINET+LON
    < V6_0_0_7 (from V1_0_0_0)
  • MBS / Triple-X PROFINET+M-Bus
    < V6_0_0_7 (from V1_0_0_0)
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References