Helmholz: Unauthenticated user enumeration in myREX24 and myREX24.virtual
MonitorCVSS 5.3VDE-2022-017Sep 7, 2022
Helmholz
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
myREX24 and myREX24.virtual allow unauthenticated user enumeration through network access. An attacker can discover valid usernames without authentication credentials, which could facilitate further attacks on the system.
What this means
What could happen
An attacker can identify valid usernames on your myREX24 controller without logging in, reducing the barrier for subsequent attacks like credential guessing or brute force attempts.
Who's at risk
This affects organizations using Helmholz myREX24 controllers or myREX24.virtual instances for industrial automation, specifically those managing process equipment or safety-related functions that rely on user authentication for access control.
How it could be exploited
An attacker sends network requests to myREX24 or myREX24.virtual to enumerate valid usernames by observing response differences between valid and invalid accounts. This information can then be used to target brute force or social engineering attacks against the system.
Prerequisites
- Network access to myREX24 or myREX24.virtual from the attacker's location
remotely exploitableno authentication requiredlow complexity
Exploitability
Unlikely to be exploited — EPSS score 0.3%
Affected products (2)
2 with fix
ProductAffected VersionsFix Status
myREX24≤ 2.11.22.12.1
myREX24.virtual≤ 2.11.22.12.1
Remediation & Mitigation
0/3
Do now
0/1myREX24
WORKAROUNDRestrict network access to myREX24 management interfaces to authorized engineering workstations and administrative networks only
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
myREX24
HOTFIXUpdate myREX24 to version 2.12.1 or later
HOTFIXUpdate myREX24.virtual to version 2.12.1 or later
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/64ed278f-ddd7-4102-9952-88a424c92cb6Get OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.