An authenticated remote attacker can exploit an undocumented method to escape the LUA sandbox in REX200/250 devices, enabling the execution of arbitrary operating system commands and leading to full system compromise.
Multiple vulnerabilities in all REX 100 devices with firmware <= 2.3.2 that allow an attacker to gain full control over the device.
The mb24api endpoint reachable when connected via VPN is missing authentication for sensitive functions. This can lead to information disclosure of user- and device names and to DoS.
Two vulnerabilities in myREX24/myREX24.virtual can lead to user enumeration an password bypass.
The data24 service that is bundled with every installation of myREX24/myREX24.virtual has two serious flaws in core components. These combined can lead to a complete loss of confidentiality, integrity and availability.
Multiple vulnerabilities have been discovered in Helmholz products that could allow RCE or unauthorized file access. CVE-2024-45272 affects the myREX24 V2 and myREX24.virtual products, while CVE-2024-45273 affects the REX200/250, myREX24 V2, myREX24.virtual and REX300 products.
Multiple vulnerabilities have been discovered in REX100 allowing for RCE or unauthorized file access.
Several Helmholz products are vulnerable to a possible race condition vulnerability in OpenSSH named "regreSSHion".