Helmholz: Sandbox escape in REX200/250 LUA interpreter

Plan Patch7.2VDE-2025-069Jul 31, 2025

Attack VectorNetwork

Auth RequiredHigh

ComplexityLow

User InteractionNone needed

Summary

An authenticated remote attacker can exploit an undocumented method to escape the LUA sandbox in REX200/250 devices, enabling execution of arbitrary operating system commands and leading to full system compromise. REX 300 is end-of-life and will not receive updates.

What this means

What could happen

An authenticated attacker could run arbitrary commands on REX200/250 controllers, potentially modifying process logic, altering setpoints, disabling safety interlocks, or halting industrial operations. REX 300 devices cannot be patched and remain permanently vulnerable.

Who's at risk

Water authorities and utilities using Helmholz REX 200, 250, or 300 programmable logic controllers (PLCs) for process automation and control are affected. REX 300 devices in particular require urgent attention as they cannot be patched by the vendor.

How it could be exploited

An attacker with valid engineering credentials (such as those obtained through phishing or insider access) can connect to the REX200/250 device remotely and use an undocumented LUA method to break out of the sandbox restriction, then execute arbitrary OS-level commands on the controller.

Prerequisites

Valid engineering workstation credentials for the REX device
Network access to the REX200/250 management/engineering interface

remotely exploitablehigh CVSS score (7.2)affects PLCs controlling critical industrial operationsno patch available for REX 300requires valid credentials but credentials can be obtained through common attack methods

Exploitability

Low exploit probability (EPSS 0.2%)

Affected products (2)

1 with fix1 EOL

ProductAffected VersionsFix Status

Helmholz REX 200/250<7.3.0>=7.3.0

Helmholz REX 300≤ 5.1.11No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDRestrict network access to REX200/250 engineering interfaces to authorized engineering workstations only using firewall rules or network segmentation

HARDENINGFor REX 300 controllers, implement compensating controls including strict network isolation and continuous monitoring since no vendor patch is available

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate REX 200/250 controllers to firmware version 7.3.0 or later

Mitigations - no patch available

0/1

Helmholz REX 300 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGImplement multi-factor authentication for engineering credentials if not already in use

CVEs (1)

CVE-2025-41688

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/d4633f72-0629-472b-975f-1de5afca5848