Helmholz: Multiple Vulnerabilities in Helmholz products

Act Now9.8VDE-2024-069Oct 15, 2024

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple vulnerabilities in Helmholz PLC products (REX 200, REX 250, myREX24V2, myREX24V2.virtual, REX 300) allow remote code execution and unauthorized file access. CVE-2024-45272 affects myREX24V2 variants. CVE-2024-45273 affects REX 200/250 and myREX24V2 variants, exploiting weak authentication and hardcoded credentials. CVE-2024-45275 affects REX 200/250. REX 300 is end-of-life and will not receive updates.

What this means

What could happen

An attacker with network access to affected Helmholz PLC devices could execute arbitrary commands on the controller, allowing them to modify process logic, alter setpoints, or halt operations at critical infrastructure like water treatment or power distribution facilities.

Who's at risk

Water utilities, electric cooperatives, and other municipal infrastructure operators using Helmholz REX 200, REX 250, myREX24V2, or myREX24V2.virtual PLCs for process automation, pump control, or other critical control logic. REX 300 users are at risk but cannot be patched due to end-of-life status.

How it could be exploited

An attacker with network connectivity to the device sends a specially crafted network request that exploits hardcoded credentials or weak authentication mechanisms (CVE-2024-45273) to gain unauthorized access. Once authenticated or bypassing authentication, the attacker uploads or executes malicious code on the PLC to achieve remote code execution.

Prerequisites

Network reachability to the affected Helmholz device on the network port used for device communication or configuration
No special credentials required if authentication weaknesses are exploited; default or hardcoded credentials may be present

remotely exploitableno authentication requiredlow complexityhigh CVSS score (9.8)affects industrial controllersREX 300 has no patch available

Affected products (4)

3 with fix1 EOL

ProductAffected VersionsFix Status

Helmholz myREX24V2≤ 2.16.22.16.3

Helmholz myREX24V2.virtual≤ 2.16.22.16.3

Helmholz REX 200/ REX 250≤ 8.2.08.2.1

Helmholz REX 300≤ 5.1.11No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDDisable or restrict remote management interfaces on Helmholz devices if not required for operations

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate REX 200 / REX 250 devices to firmware version 8.2.1 or later

HOTFIXUpdate myREX24V2 and myREX24V2.virtual devices to firmware version 2.16.3 or later

Mitigations - no patch available

0/1

Helmholz REX 300 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGImplement network segmentation to restrict access to Helmholz PLC devices from untrusted networks or management VLANs only

CVEs (3)

CVE-2024-45275 CVE-2024-45273 CVE-2024-45272

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/f78527a7-1bc5-4d26-98f8-65253cfb31e2