Vulnerabilities in myREX24/myREX24.virtual
Plan Patch8.2VDE-2025-037Jun 24, 2025
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
The mb24api endpoint in myREX24 and myREX24.virtual (<2.17.1) lacks authentication checks on sensitive functions reachable over VPN. An attacker can exploit this to disclose user and device names or cause a denial of service by crashing the gateway. Fixed in version 2.18.0.
What this means
What could happen
An attacker with VPN access to a myREX24 gateway could read usernames, device names, and other configuration data, or cause the device to become unresponsive, disrupting automation and control operations that rely on the gateway.
Who's at risk
Helmholz myREX24 gateway operators, particularly those in water treatment, power distribution, and industrial automation environments where the device controls or aggregates PLC and sensor data. Any facility using the VPN feature should be considered at risk.
How it could be exploited
An attacker on the same VPN network as a myREX24 device could directly call the mb24api endpoint without credentials to extract sensitive information or send malicious requests that crash the gateway service, stopping PLC communication and automation logic.
Prerequisites
- VPN network access to the myREX24 device
- Knowledge or discovery of the mb24api endpoint
- No credentials required
remotely exploitableno authentication requiredlow complexityaffects industrial control gateway
Exploitability
Low exploit probability (EPSS 0.2%)
Affected products (2)
2 with fix
ProductAffected VersionsFix Status
myREX24<2.17.12.18.0
myREX24.virtual<2.17.12.18.0
Remediation & Mitigation
0/1
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
myREX24
HOTFIXUpdate myREX24 and myREX24.virtual to firmware version 2.18.0 or later
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/7e30a838-2627-42d2-a8fb-ed8ef07eb9e0