Vulnerabilities in myREX24/myREX24.virtual

VDE-2025-037

Last update

24.06.2025 12:00

Published at

24.06.2025 12:00

Vendor(s)

Helmholz GmbH & Co. KG

External ID

VDE-2025-037

CSAF Document

Download

Summary

The mb24api endpoint reachable when connected via VPN is missing authentication for sensitive functions. This can lead to information disclosure of user- and device names and to DoS.

Impact

Some limited sensitive data can be accessed and a DoS can be performed targeting a specific user/device.

Affected Product(s)

Model no.	Product name	Affected versions
	myREX24	Firmware <2.18.0
	myREX24.virtual	Firmware <2.18.0

Vulnerabilities

Expand / Collapse all

Published

22.09.2025 14:57

Severity

8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H

Weakness

Missing Authentication for Critical Function (CWE-306)

Summary

An unauthenticated remote attacker can obtain limited sensitive information and/or DoS the device due to missing authentication for critical function.

References

cve.org | nvd.nist.gov

Remediation

Update to latest version: 2.18.0

Revision History

Version	Date	Summary
1	24.06.2025 12:00	Initial revision.

Vulnerabilities in myREX24/myREX24.virtual

Summary

Impact

Affected Product(s)

Vulnerabilities

CVE-2025-3090 8.2

Remediation

Revision History