Helmholz: Multiple vulnerabilities in REX 100

Monitor7.2VDE-2025-059Jul 21, 2025

Attack VectorNetwork

Auth RequiredHigh

ComplexityLow

User InteractionNone needed

Summary

Multiple vulnerabilities in Helmholz REX 100 devices (firmware ≤2.3.2) including command injection (CWE-78), SQL injection (CWE-89), buffer overflow (CWE-787), and cross-site scripting (CWE-79) that allow an authenticated attacker to gain full control of the device. These vulnerabilities enable arbitrary code execution on the PLC, potentially compromising process automation, altering setpoints, or disrupting operations.

What this means

What could happen

An authenticated attacker could execute arbitrary commands on a REX 100 device, potentially altering automation logic, interrupting industrial processes, or causing equipment damage. This affects any facility relying on REX 100 for process control or monitoring.

Who's at risk

Facilities using Helmholz REX 100 programmable logic controllers (PLCs) for industrial automation, building automation, or process control. This includes water treatment plants, HVAC systems, manufacturing lines, and any other automation using REX 100 for critical process control.

How it could be exploited

An attacker with valid credentials to a vulnerable REX 100 device (via web interface, SSH, or engineering tools) can exploit command injection or buffer overflow vulnerabilities to execute arbitrary code with device privileges. The attacker would need to authenticate to the device first, then inject malicious commands through configuration or script upload functions.

Prerequisites

Valid login credentials (engineering user or administrator) for the REX 100 device
Network access to the device's management interface (HTTP/HTTPS or SSH)
Device running firmware version 2.3.2 or earlier

Remotely exploitableRequires valid credentials but affects high-privilege operationsHigh CVSS score (7.2)Multiple vulnerability types (command injection, buffer overflow, SQL injection, XSS)

Exploitability

Low exploit probability (EPSS 0.2%)

Affected products (1)

ProductAffected VersionsFix Status

Firmware <2.3.3All versionsFix available

Remediation & Mitigation

0/4

Do now

0/3

HARDENINGEnable 'Lock network configuration (Conftool)' feature in device settings to prevent unauthorized configuration changes

HARDENINGRestrict network access to REX 100 management interfaces (HTTP/HTTPS, SSH) to authorized engineering workstations only using firewall rules or network segmentation

HARDENINGAudit and enforce strong, unique credentials for all REX 100 device accounts; disable default credentials if present

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate REX 100 firmware to version 2.3.3 or later

CVEs (8)

CVE-2025-41673 CVE-2025-41674 CVE-2025-41675 CVE-2025-41676 CVE-2025-41677 CVE-2025-41678 CVE-2025-41679 CVE-2025-41681

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/948b7410-6bbb-472c-bf2d-1d7dc832e979