Helmholz: Sandbox escape in REX200/250 LUA interpreter

Plan PatchCVSS 7.2VDE-2025-069Jul 31, 2025

Helmholz

Attack path

Attack VectorNetwork

Auth RequiredHigh

ComplexityLow

User InteractionNone needed

Summary

An authenticated remote attacker can exploit an undocumented method to escape the LUA sandbox in REX200/250 devices, enabling the execution of arbitrary operating system commands and leading to full system compromise. REX 300 is end-of-life and will not receive updates.

What this means

What could happen

An attacker with engineering credentials could run arbitrary commands on REX 200/250 controllers, potentially altering program logic, halting processes, or corrupting the control system. REX 300 devices cannot be patched and remain vulnerable indefinitely.

Who's at risk

Water authorities and municipal utilities using Helmholz REX 200, REX 250, or REX 300 programmable controllers for process automation, particularly those with remote engineering access or networked development environments.

How it could be exploited

An attacker with valid engineering workstation credentials connects to the REX device over the network, accesses the LUA interpreter, and uses an undocumented method to break out of the sandbox. Once outside the sandbox, the attacker executes arbitrary OS commands with full device privileges.

Prerequisites

Network access to REX 200/250 or REX 300 device management interface
Valid engineering workstation credentials

remotely exploitableauthentication required but with engineering credentialsfull system compromise possibleREX 300 has no patch availableaffects control logic execution

Exploitability

Unlikely to be exploited — EPSS score 0.2%

Affected products (2)

1 with fix1 EOL

ProductAffected VersionsFix Status

Helmholz REX 200/250<7.3.0>=7.3.0

Helmholz REX 300≤ 5.1.11No fix (EOL)

Remediation & Mitigation

0/3

Do now

0/1

HARDENINGRestrict network access to REX 200/250 and REX 300 management interfaces using firewall rules; allow only from designated engineering workstations

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

Helmholz REX 200/250

HOTFIXUpdate Helmholz REX 200/250 devices to firmware version 7.3.0 or later

Mitigations - no patch available

0/1

Helmholz REX 300 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGFor REX 300 devices (end-of-life): isolate from untrusted networks and evaluate replacement with current-generation REX controllers

CVEs (1)

CVE-2025-41688

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/d4633f72-0629-472b-975f-1de5afca5848

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.