Vulnerabilities in myREX24/myREX24.virtual
Plan PatchCVSS 8.2VDE-2025-037Jun 24, 2025
Helmholz
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
The mb24api endpoint lacks authentication controls for sensitive functions when accessed via VPN. An attacker with network access could retrieve user and device names or cause denial of service.
What this means
What could happen
An attacker on your VPN could enumerate all user and device names from myREX24, or disrupt availability of the gateway by triggering denial of service attacks against the unauthenticated API endpoint.
Who's at risk
Organizations operating Helmholz myREX24 or myREX24.virtual gateways in their OT network as protocol converters or gateway devices. This applies to facilities using these devices for IEC 60870-5-104, Profibus, Profinet, or other industrial protocol bridging.
How it could be exploited
An attacker with VPN access connects to the myREX24 device and sends requests directly to the mb24api endpoint without credentials. The endpoint accepts the requests and returns sensitive data (user and device names) or processes DoS commands that degrade or stop the gateway's normal operation.
Prerequisites
- Network access to the myREX24 device via VPN
- Knowledge of the mb24api endpoint existence or discovery via port scanning/enumeration
remotely exploitableno authentication requiredlow complexityVPN required but reduces exposure vs. Internet-facing
Exploitability
Unlikely to be exploited — EPSS score 0.4%
Affected products (2)
2 with fix
ProductAffected VersionsFix Status
myREX24<2.17.12.18.0
myREX24.virtual<2.17.12.18.0
Remediation & Mitigation
0/2
Do now
0/1myREX24
HARDENINGRestrict VPN network access to the myREX24 device to only trusted engineering and management workstations using firewall rules or network segmentation
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
myREX24
HOTFIXUpdate myREX24 and myREX24.virtual to version 2.18.0 or later
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/7e30a838-2627-42d2-a8fb-ed8ef07eb9e0Get OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.