VDE-2025-038
Last update
24.06.2025 12:00
Published at
24.06.2025 12:00
Vendor(s)
Helmholz GmbH & Co. KG
External ID
VDE-2025-038
CSAF Document
Summary
Two vulnerabilities in myREX24/myREX24.virtual can lead to user enumeration an password bypass.
Impact
CVE-2025-3091: An attacker in possession of the second factor for an user can login as that user without knowledge of the password (first factor)
CVE-2025-3092: An unprotected endpoint can by used to enumerate valid user names.
Affected Product(s)
| Model no. | Product name | Affected versions |
|---|---|---|
| myREX24 | Firmware <2.16.5, Firmware <2.18.0 | |
| myREX24.virtual | Firmware <2.16.5, Firmware <2.18.0 |
Vulnerabilities
Expand / Collapse all
Published
22.09.2025 14:57
Severity
Weakness
Observable Response Discrepancy (CWE-204)
Summary
An unauthenticated remote attacker can enumerate valid user names from an unprotected endpoint.
References
Published
22.09.2025 14:57
Severity
Weakness
Authorization Bypass Through User-Controlled Key (CWE-639)
Summary
An low privileged remote attacker in possession of the second factor for another user can login as that user without knowledge of the other user`s password.
References
Remediation
CVE-2025-3091: Update to latest version: 2.16.5
CVE-2025-3092: Update to latest version: 2.18.0
Revision History
| Version | Date | Summary |
|---|---|---|
| 1 | 24.06.2025 12:00 | Initial revision. |