Helmholz: Vulnerabilities in myREX24 V2/myREX24.virtual
Act Now9.1VDE-2024-031Mar 18, 2025
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
The data24 service bundled with myREX24 V2 and myREX24.virtual contains two critical vulnerabilities (CVE-2024-23943 and CVE-2024-23942) affecting authentication and encryption in core components. These flaws can be combined to completely compromise confidentiality, integrity, and availability of controlled systems. myREX24 V2/myREX24.virtual versions before 2.16.2 are affected. REX 200/REX 250 devices with firmware versions 8.0.0–8.1.3 are additionally vulnerable; firmware 8.2.0 or later is required but not all devices can be patched.
What this means
What could happen
An attacker could intercept and decrypt sensitive device configurations containing operational parameters, or inject malicious commands into the data24 service, compromising process control and data confidentiality on your REX controllers.
Who's at risk
Water authorities and utilities using Helmholz myREX24 V2 or myREX24.virtual for process control automation. REX 200 and REX 250 controller devices running firmware 8.0.0–8.1.3 are at highest risk due to lack of available firmware patches. Any organization managing distributed control systems or SCADA-like configurations through myREX24 should prioritize patching.
How it could be exploited
An attacker with network access to the data24 service (included in every myREX24 installation) can exploit missing authentication and weak encryption to read sensitive configurations or inject commands that alter device behavior. REX 200/250 devices with firmware versions 8.0.0–8.1.3 are additionally vulnerable and cannot be fully patched.
Prerequisites
- Network access to the data24 service port on myREX24 V2/myREX24.virtual systems
- For REX 200/250 devices: firmware version 8.0.0 through 8.1.3 is unpatched and cannot be fully remediated
remotely exploitableno authentication requiredlow complexityaffects control system integrityno patch available for some firmware versions
Affected products (3)
2 with fix1 pending
ProductAffected VersionsFix Status
myREX24 V2<2.16.22.16.2
myREX24.virtual<2.16.22.16.2
Firmware <8.2.0All versionsNo fix yet
Remediation & Mitigation
0/4
Do now
0/3myREX24 V2
HOTFIXUpdate myREX24 V2 and myREX24.virtual to version 2.16.2 or later
All products
HOTFIXFor REX 200/REX 250 devices running firmware 8.0.0–8.1.3, update firmware to version 8.2.0 or later
WORKAROUNDRestrict network access to the data24 service to authorized engineering and management systems only using firewall rules
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
myREX24 V2
HARDENINGEnsure device serial numbers are registered with myREX24 V2/myREX24.virtual before creating downloadable configurations to enable configuration encryption
CVEs (2)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/f86ba363-9b08-46fb-8d66-b7285cc15230