The National Vulnerability Database on June 18, 2026 published CVE-2026-8024, a deserialization-of-untrusted-data vulnerability affecting two pieces of industrial data-acquisition software from the German vendor iba: ibaPDA and ibaDatCoordinator. NVD assigns the entry a CVSS 3.1 base score of 9.8 and a CVSS 4.0 base score of 9.3, both in the critical band. The source identifier on the record is info@cert.vde.com, indicating that CERT@VDE — the computer emergency response team operated by the German industrial association VDE — coordinated the disclosure and acts as the assigning CNA.

The NVD description is concise and specific about who can reach the flaw and what it grants. It states that a remote, unauthenticated attacker may exploit the deserialization issue to gain full access to the affected systems. The vector string NVD records, AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, encodes the same facts in CVSS terms: the issue is reachable over a network, requires low attack complexity, needs no privileges and no user interaction, and yields high impact to confidentiality, integrity, and availability. NVD classifies the weakness as CWE-502, "Deserialization of Untrusted Data."

"A remote, unauthenticated attacker may exploit a deserialization of untrusted data vulnerability in ibaPDA or ibaDatCoordinator to gain full access to the affected systems."— NVD, CVE-2026-8024, source

What deserialization of untrusted data means here

Deserialization is the process of reconstructing an in-memory object from a serialized byte stream — the reverse of writing an object out to a file or a network message. The weakness category NVD applies, CWE-502, covers cases where an application reconstructs objects from data it does not control. When the byte stream is attacker-supplied and the deserialization routine is not constrained to safe types, the act of rebuilding the object can be turned into the act of running attacker-chosen code or instantiating attacker-chosen objects. The NVD record does not publish a proof-of-concept; it states the outcome the vendor and CERT@VDE assessed, which is that the path leads to full access to the affected systems.

Two attributes in the description carry the weight for a defender reading the primary record. The first is "remote": the attacker does not need local access to the machine running the software. The second is "unauthenticated": the attacker does not need valid credentials. Together with the "full access" outcome, those attributes are what place the entry at the top of the severity scale. There is no privilege requirement to overcome and no user who must be tricked into clicking, which is reflected in the CVSS vector's PR:N and UI:N markers.

The CVSS 4.0 scoring NVD records, 9.3 with a vector that marks attack vector as network, attack complexity as low, and the privilege, interaction, and complexity prerequisites as none, restates the same assessment under the newer standard. The scope marker in the 3.1 vector is S:U, meaning the impact stays within the vulnerable component's security scope rather than crossing into another; the high confidentiality, integrity, and availability ratings sit on the affected system itself. Read together, the two scoring systems describe a single fact pattern: a network-reachable deserialization sink that an unauthenticated request can drive to complete compromise of the host running the software.

The affected products and the referenced advisory

The two named products sit in industrial and process environments. ibaPDA is iba's process-data-acquisition system, used to record measurement and signal data from machinery and control systems; ibaDatCoordinator is iba's tool for managing and processing the data files those systems produce. The NVD record names both as affected by CVE-2026-8024. For the specific version ranges, fix versions, and configuration details, the record points to the coordinating advisory rather than enumerating them inline. That division of detail is typical of CERT@VDE-coordinated entries, where the NVD record states the weakness and impact and the linked advisory carries the affected-version table and vendor remediation.

NVD attaches two references to the entry, both from CERT@VDE. The first is the human-readable advisory page VDE-2026-051 at certvde.com. The second is the machine-readable CSAF document for the same advisory, hosted under iba's CSAF endpoint at certvde.com. CSAF — the Common Security Advisory Framework — is a structured format that lets defenders ingest advisory data programmatically, which is increasingly common in operational-technology environments where asset owners track many products. Operators of ibaPDA or ibaDatCoordinator can consult VDE-2026-051 for the affected version list and the vendor's remediation guidance. The dual publication of a human-readable page and a CSAF document means asset owners running automated advisory pipelines and those reviewing the disclosure by hand are working from the same coordinated source.

As of publication, the NVD entry is a coordinated vulnerability disclosure; it does not state that the flaw has been observed in active exploitation, and it had not been added to CISA's Known Exploited Vulnerabilities catalog. The practical takeaway for defenders is that an unauthenticated, network-reachable deserialization path to full system access in process-data software warrants checking exposure of the affected services and applying the vendor's update referenced in VDE-2026-051. Because the products are typically deployed inside plant networks, the network-reachability described in the record intersects with how exposed those services are to untrusted segments — a determination each operator makes against their own architecture, not one stated in the CVE.

This entry is among the critical-severity records the National Vulnerability Database published during the week of June 12 to June 18, 2026. Every figure above — the 9.8 and 9.3 scores, the CWE-502 classification, the remote and unauthenticated attributes, and the full-access outcome — is drawn directly from the NVD record and its CERT@VDE references, and each can be verified by following the canonical detail URL to nvd.nist.gov.