Back to overview

Helmholz: Authenticated unintended access to critical program parameters in myREX24V2/myREX24V2.virtual

VDE-2026-070
Last update
06/23/2026 14:00
Published at
06/23/2026 13:00
Vendor(s)
Helmholz GmbH & Co. KG
External ID
VDE-2026-070
CSAF Document
Download

Summary

There is a vulnerability in myREX24V2/myREX24V2.virtual that allows an authenticated remote attacker to access a hidden configuration method, that should not be accessible by any user, to modify critical program parameters.

Impact

CVE-2026-10521 allows an authenticated remote attacker to modify critical program parameters. This can result in a total loss of confidentiality, integrity and availability.

Affected Product(s)

Model no. Product name Affected versions
Helmholz myREX24V2 Firmware <2.20.2, Firmware 2.20.1
myREX24V2.virtual Firmware <2.20.2, Firmware 2.20.1

Vulnerabilities

Expand / Collapse all

Published
06/23/2026 09:45
Severity
7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Weakness
Direct Request ('Forced Browsing') (CWE-425)
Summary

An authenticated remote attacker can access a hidden configuration method, that should not be accessible by any user, to modify critical program parameters. This can result in a total loss of confidentiality, integrity and availability.

References
cve.org | nvd.nist.gov

Remediation

Update the myREX24V2/myREX24V2.virtual instance to version 2.20.2.

Acknowledgments

Helmholz GmbH & Co. KG thanks the following parties for their efforts:

Revision History

Version Date Summary
1.0.0 06/23/2026 13:00 Initial revision.
1.0.1 06/23/2026 14:00 The alias has been corrected