Helmholz: Vulnerabilities in myREX24 V2/myREX24.virtual

Plan PatchCVSS 9.1VDE-2024-031Mar 18, 2025

Helmholz

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The data24 service bundled with myREX24 V2 and myREX24.virtual contains two critical authentication and data protection flaws. These vulnerabilities allow remote attackers without credentials to access sensitive device configuration data and potentially modify system settings. The flaws affect confidentiality, integrity, and availability. REX 200/REX 250 devices running firmware 8.0.0 through 8.1.3 are unable to receive the fix through myREX24 updates and require direct firmware upgrades to 8.2.0 or later.

What this means

What could happen

An attacker can access sensitive data stored on myREX24 devices without authentication and potentially modify configurations or halt operations. This affects all instances unless patched, compromising both data confidentiality and system availability.

Who's at risk

Organizations using Helmholz myREX24 V2 or myREX24.virtual devices for distributed I/O and data handling in manufacturing or process automation systems. This includes users with REX 200/REX 250 remote I/O modules that rely on these systems for configuration management and data services.

How it could be exploited

An attacker on the network sends requests to the data24 service running on myREX24 V2 or myREX24.virtual devices. Due to missing authentication checks and improper data protection, the attacker can read sensitive configuration data and potentially inject commands that alter device behavior or stop operations without needing valid credentials.

Prerequisites

Network access to the data24 service port on myREX24 or myREX24.virtual devices
No credentials required

remotely exploitableno authentication requiredlow complexityhigh CVSS score (9.1)affects data confidentiality and integrityunauthenticated access to device configuration

Exploitability

Unlikely to be exploited — EPSS score 0.4%

Affected products (3)

2 with fix1 pending

ProductAffected VersionsFix Status

myREX24 V2<2.16.22.16.2

myREX24.virtual<2.16.22.16.2

Firmware <8.2.0All versionsNo fix yet

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDRestrict network access to the data24 service port to only authorized management systems and engineering workstations

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

myREX24 V2

HOTFIXUpdate myREX24 V2 and myREX24.virtual to version 2.16.2 or later

All products

HOTFIXIf using REX 200/REX 250 devices with firmware 8.0.0 through 8.1.3, upgrade firmware to 8.2.0 or later

HARDENINGWhen creating downloadable device configurations, ensure the target device serial number is known to myREX24 before configuration generation to enable encryption

CVEs (2)

CVE-2024-23943 CVE-2024-23942

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/f86ba363-9b08-46fb-8d66-b7285cc15230

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.