Helmholz: Remote user enumeration in myREX24/myREX24-virtual

VDE-2021-058

Last update

14.05.2025 15:00

Published at

08.12.2021 14:04

Vendor(s)

Helmholz GmbH & Co. KG

External ID

VDE-2021-058

CSAF Document

Summary

An issue was discovered in the myREX24 and myREX24-virtual software in all versions through V2.9.0.

Model no.	Product name	Affected versions
	myREX24	Firmware <=2.9.0
	myREX24-virtual	Firmware <=2.9.0

Published

22.09.2025 14:57

Severity

7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Weakness

Observable Response Discrepancy (CWE-204)

Summary

An unauthenticated user can enumerate valid backend users by checking what kind of response the server sends for crafted invalid login attempts.

References

cve.org | nvd.nist.gov

Update myREX24/myREX24-virtual to 2.10.1

Version	Date	Summary
1	08.12.2021 14:04	initial revision
2	14.05.2025 15:00	Fix: added distribution