Helmholz: Vulnerability allows access to non-critical information in myREX24 and myREX24.virtual
Monitor4.3VDE-2023-043Oct 16, 2023
Attack VectorNetwork
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary
A vulnerability in myREX24 and myREX24.virtual allows an authenticated, low-privileged attacker to read non-critical device information due to improper access validation. The issue stems from insufficient permission checks that do not properly enforce role-based access controls on certain data fields.
What this means
What could happen
An authenticated low-privileged user could read non-critical device information they normally shouldn't access due to improper permission checks. This does not affect process control or device operation.
Who's at risk
This affects water authorities and municipalities using Helmholz myREX24 automation controllers (both hardware and virtual instances) for SCADA, process monitoring, or remote terminal units. Low-privilege operational staff could view restricted configuration details.
How it could be exploited
An attacker with valid low-privilege credentials (e.g., a regular operator account) could make API or UI requests to access device configuration or status information beyond their assigned role. No special tools or complexity required—just using the application normally with elevated permissions.
Prerequisites
- Valid low-privilege user account on myREX24 or myREX24.virtual
- Network access to the affected device (typically on-site or via engineering network)
requires valid credentialsaffects information disclosure only
Affected products (2)
2 with fix
ProductAffected VersionsFix Status
myREX24 <=2.14.2≤ 2.14.22.14.3
myREX24.virtual <=2.14.2≤ 2.14.22.14.3
Remediation & Mitigation
0/1
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXUpdate myREX24 and myREX24.virtual to version 2.14.3 or later
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/d86d477c-db1d-4719-a226-f171c2283add