Helmholz: Multiple Vulnerabilities in Helmholz products

Plan PatchCVSS 9.8VDE-2024-069Oct 15, 2024

Helmholz

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple critical vulnerabilities have been discovered in Helmholz controllers affecting CVE-2024-45272, CVE-2024-45273, and CVE-2024-45275. These vulnerabilities exploit hardcoded credentials (CWE-798), missing authentication (CWE-261), and initialization with hard-coded network resource configuration passwords (CWE-1391) in the myREX24V2, myREX24V2.virtual, REX 200, and REX 250 products. Successful exploitation allows remote code execution, unauthorized file access, and control logic manipulation. REX 300 is end-of-life and will not receive security updates.

What this means

What could happen

An attacker with network access to Helmholz REX controllers or myREX24V2 devices could execute arbitrary code, alter control logic, steal configuration files, or disrupt operations. REX 300 controllers will not receive patches and remain permanently vulnerable.

Who's at risk

Organizations operating Helmholz REX 200, REX 250, REX 300, myREX24V2, and myREX24V2.virtual controllers used in automation systems, packaging machinery, and process control applications should apply patches or implement compensating controls immediately.

How it could be exploited

An attacker on the same network (or via exposed management interfaces) can send crafted requests to exploit hardcoded credentials or improper input validation in the web management interface or API endpoints of affected Helmholz controllers. Successful exploitation allows remote code execution or unauthorized file access on the controller.

Prerequisites

Network access to the web management interface or API port of the affected Helmholz device (typically port 80/443)
No authentication required for at least one of the three vulnerabilities

remotely exploitableno authentication requiredlow complexityhardcoded credentialshigh CVSS score (9.8)no patch available for REX 300 (end-of-life)

Exploitability

Some exploitation risk — EPSS score 3.4%

Affected products (4)

3 with fix1 EOL

ProductAffected VersionsFix Status

Helmholz myREX24V2≤ 2.16.22.16.3

Helmholz myREX24V2.virtual≤ 2.16.22.16.3

Helmholz REX 200/ REX 250≤ 8.2.08.2.1

Helmholz REX 300≤ 5.1.11No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDFor REX 300 controllers (end-of-life, no patch available): restrict network access to the management interface using firewall rules, allowing only authorized engineering workstations

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

Helmholz myREX24V2

HOTFIXUpdate Helmholz myREX24V2 and myREX24V2.virtual to firmware version 2.16.3 or later

All products

HOTFIXUpdate Helmholz REX 200 and REX 250 controllers to firmware version 8.2.1 or later

Mitigations - no patch available

0/1

Helmholz REX 300 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGImplement network segmentation to isolate Helmholz controllers on a protected OT subnet, blocking unauthorized inbound access from IT networks

CVEs (3)

CVE-2024-45275 CVE-2024-45272 CVE-2024-45273

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/f78527a7-1bc5-4d26-98f8-65253cfb31e2

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.