Back to overview

Helmholz: Multiple Vulnerabilities in Helmholz Products

VDE-2024-069
Last update
11/06/2024 12:27
Published at
10/15/2024 10:00
Vendor(s)
Helmholz GmbH & Co. KG
External ID
VDE-2024-069
CSAF Document
Download

Summary

Multiple vulnerabilities have been discovered in Helmholz products that could allow RCE or unauthorized file access. CVE-2024-45272 affects the myREX24 V2 and myREX24.virtual products, while CVE-2024-45273 affects the REX200/250, myREX24 V2, myREX24.virtual and REX300 products.

Impact

CVE-2024-45272 allows brute force attack of remote credentials with positive success chances.

CVE-2024-45273 allows undetectable tampering and manipulation of encrypted configuration files.

Affected Product(s)

Model no. Product name Affected versions
Helmholz REX200/250 Firmware <=8.2.0
Helmholz REX300 Firmware <=5.1.11
Helmholz myREX24 V2 Firmware <=2.16.2
Helmholz myREX24.virtual Firmware <=2.16.2

Vulnerabilities

Expand / Collapse all

Published
09/22/2025 14:58
Severity
8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Weakness
Weak Encoding for Password (CWE-261)
Summary

An unauthenticated local attacker can decrypt the devices config file and therefore compromise the device due to a weak implementation of the encryption used.

References
cve.org | nvd.nist.gov

Published
09/22/2025 14:58
Severity
7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Weakness
Use of Weak Credentials (CWE-1391)
Summary

An unauthenticated remote attacker can perform a brute-force attack on the credentials of the remote service portal with a high chance of success, resulting in connection lost.

References
cve.org | nvd.nist.gov

Remediation

Update REX200/250 to the version 8.2.1\
Update myREX24 V2, myREX24.virtual to the version 2.16.3\
Note: REX 300 devices are EOL and will not receive any further updates.

Revision History

Version Date Summary
1 10/15/2024 10:00 Initial revision.
2 11/06/2024 12:27 Fix: correct certvde domain, added self-reference