Helmholz: Multiple Vulnerabilities in myREX24V2 / myREX24V2.virtual

Act Now9.8VDE-2026-025Mar 23, 2026

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple unauthenticated remote code execution and SQL injection vulnerabilities exist in Helmholz myREX24V2 and myREX24V2.virtual gateways. These flaws allow attackers on the network to execute arbitrary commands or access the device database without providing credentials. The gateway is commonly used to manage distributed IO modules and remote field devices in industrial automation systems.

What this means

What could happen

An attacker on your network could remotely execute commands on the myREX24V2 gateway without entering a password, potentially altering process parameters, stopping production equipment, or stealing data from connected industrial devices.

Who's at risk

Organizations operating Helmholz myREX24V2 gateways used to connect and manage remote IO modules and PLCs in industrial automation, manufacturing, utilities, and water treatment environments should prioritize this update. Both physical hardware and virtual instances are affected.

How it could be exploited

An attacker sends a network request to the myREX24V2 device on an exposed port. The device processes the request without requiring authentication due to command injection (CWE-78) or SQL injection (CWE-89) flaws. The attacker gains the ability to run arbitrary commands on the gateway or extract database contents, giving direct control over connected PLCs, I/O modules, or SCADA systems.

Prerequisites

Network access to the myREX24V2 management interface or API port
No authentication required

Remotely exploitableNo authentication requiredLow complexityCritical CVSS 9.8High EPSS scoreCommand injection and SQL injection flawsAffects gateway controlling industrial devices

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (4)

4 with fix

ProductAffected VersionsFix Status

myREX24V2≤ 2.19.32.19.4

myREX24V22.19.32.19.4

myREX24V2.virtual≤ 2.19.32.19.4

myREX24V2.virtual2.19.32.19.4

Remediation & Mitigation

0/3

Do now

0/2

myREX24V2

HOTFIXUpdate myREX24V2 and myREX24V2.virtual firmware to version 2.19.4 or later

WORKAROUNDRestrict network access to the myREX24V2 management interface to only authorized engineering workstations using firewall rules

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

myREX24V2

HARDENINGIsolate the myREX24V2 gateway on a dedicated engineering network segment separate from production and IT networks

CVEs (2)

CVE-2026-32968 CVE-2026-32969

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/de39d90e-1638-4230-9eda-44b0ff22b7bc