CVE-2026-35083: Stack buffer overflow in method bac-deviceobject

Synopsis

A stack-based buffer overflow exists in the bac-deviceobject method of multiple MBS gateway firmware variants (Single-A, Double-A Profibus, Double-A x-link, Single-X, Double-X CAN, Double-X DALI, Double-X KNX, and Double-X LON) running versions prior to V6_0_0_7. The vulnerability is reachable over the network and requires only a low-privilege user account to trigger. Successful exploitation gives an attacker full root-level control of the affected system. A patched-image rebuild at V6_0_0_7 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Exploit Conditions

• Network reachabilityRequired

  The vulnerable method is exposed over the network, so the attacker must be able to reach the service across a network connection.

• AuthenticationRequired

  A low-privilege user account is sufficient; no admin or elevated credentials are needed beyond basic authenticated access.

• Victim interactionNot required

  No user interaction is needed; the attacker triggers the overflow entirely through their own requests to the service.

• Attack complexityDetail

  Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, special memory layouts, or other environmental factors.

Blast Radius

• Reads any file or credential on the host, including private keys, stored session tokens, and configuration secrets, due to full root-level confidentiality compromise.
• Modifies or overwrites any file, configuration, or firmware component on the device, due to full root-level integrity compromise.
• Crashes or restarts any process on the device, or causes a sustained denial of service, due to full root-level availability compromise.
• Establishes persistent root access to the gateway, which may serve as a pivot point into adjacent industrial or building-automation network segments.