Vulnerabilities in myREX24/myREX24.virtual

Plan PatchCVSS 7.5VDE-2025-038Jun 24, 2025

Helmholz

Attack path

Attack VectorNetwork

Auth RequiredLow

ComplexityHigh

User InteractionNone needed

Summary

Two vulnerabilities in Helmholz myREX24 and myREX24.virtual industrial automation controllers allow user enumeration and password bypass. The user enumeration vulnerability permits attackers to identify valid user accounts through differential error responses. The password bypass vulnerability allows unauthorized access to the system without valid credentials. Both vulnerabilities require network access to the management interface but do not require prior authentication or complex exploitation techniques.

What this means

What could happen

An attacker with low-level network access could enumerate valid user accounts and bypass authentication on myREX24 controllers, potentially gaining unauthorized access to critical process automation and control logic.

Who's at risk

Water authorities, electric utilities, and other critical infrastructure operators using Helmholz myREX24 industrial automation controllers for process control, data aggregation, and remote I/O management. Any organization relying on myREX24 or myREX24.virtual for SCADA or distributed control systems should prioritize this update.

How it could be exploited

An attacker on the network can send authentication requests to the myREX24 controller to identify valid usernames through error response differences (user enumeration), then exploit an authentication weakness to bypass the login requirement and access the system without valid credentials.

Prerequisites

Network access to the myREX24 or myREX24.virtual management interface (typically port 443 or 80)
No valid credentials required for exploitation

remotely exploitableno authentication requiredlow complexityaffects critical control systemsuser enumeration enables targeted attacks

Exploitability

Unlikely to be exploited — EPSS score 0.4%

Affected products (4)

4 with fix

ProductAffected VersionsFix Status

myREX24<2.16.52.16.5

myREX24<2.18.02.16.5

myREX24.virtual<2.16.52.16.5

myREX24.virtual<2.18.02.16.5

Remediation & Mitigation

0/4

Do now

0/1

myREX24

WORKAROUNDRestrict network access to the myREX24 management interface to engineering workstations and authorized personnel only using firewall rules

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

myREX24

HOTFIXUpdate myREX24 to version 2.16.5 or later

HOTFIXUpdate myREX24.virtual to version 2.16.5 or later

Long-term hardening

0/1

HARDENINGDisable remote management access if not required for operations, or restrict to a dedicated management VPN

CVEs (2)

CVE-2025-3091 CVE-2025-3092

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/5a58ce48-2629-4776-b0c6-f906e7b6f4a5

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.