Vulnerabilities in myREX24/myREX24.virtual

Plan Patch7.5VDE-2025-038Jun 24, 2025

Attack VectorNetwork

Auth RequiredLow

ComplexityHigh

User InteractionNone needed

Summary

Two vulnerabilities in Helmholz myREX24 and myREX24.virtual devices allow user enumeration and password bypass. These flaws enable an authenticated attacker to enumerate valid user accounts and bypass authentication controls, potentially granting unauthorized access to device configuration and control functions.

What this means

What could happen

An attacker with login access could enumerate valid user accounts and bypass authentication to gain unauthorized access to the myREX24 device, potentially allowing them to modify control logic, change process parameters, or disrupt normal operations of connected industrial equipment.

Who's at risk

Water authorities and utilities operating Helmholz myREX24 or myREX24.virtual remote terminal units (RTUs) or industrial controllers should apply these fixes. Affected devices are typically used in SCADA systems, remote monitoring, and distributed control applications where PLCs or RTUs manage critical infrastructure like water treatment, distribution networks, or power generation.

How it could be exploited

An attacker with network access to the myREX24 device and valid login credentials could exploit user enumeration to identify valid accounts, then use a password bypass technique to gain unauthorized admin access without requiring a valid password. From there, they could modify device configuration or control parameters.

Prerequisites

Network access to myREX24 device on port 80/443 or management interface
Valid login credentials for any user account (enumeration aids in identifying target accounts)

remotely exploitablerequires valid credentialsaffects device administration and control logicno patch available for some product versions

Exploitability

Low exploit probability (EPSS 0.2%)

Affected products (4)

4 with fix

ProductAffected VersionsFix Status

myREX24<2.16.52.16.5

myREX24<2.18.02.16.5

myREX24.virtual<2.16.52.16.5

myREX24.virtual<2.18.02.16.5

Remediation & Mitigation

0/4

Do now

0/2

myREX24

WORKAROUNDRestrict network access to the myREX24 management interface to authorized engineering workstations and administrative networks only

HARDENINGRequire strong, unique passwords for all myREX24 user accounts and implement account lockout after multiple failed login attempts

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

myREX24

HOTFIXUpdate myREX24 to version 2.16.5 or later

HOTFIXUpdate myREX24 to version 2.18.0 or later

CVEs (2)

CVE-2025-3091 CVE-2025-3092

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/5a58ce48-2629-4776-b0c6-f906e7b6f4a5