Helmholz: Multiple Vulnerabilities in myREX24V2 / myREX24V2.virtual

Plan PatchCVSS 9.8VDE-2026-025Mar 23, 2026

Helmholz

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple vulnerabilities in Helmholz myREX24V2 / myREX24V2.virtual controllers allow unauthenticated remote code execution and SQL injection. An attacker can exploit OS command injection (CWE-78) or database query injection (CWE-89) without authentication to execute arbitrary commands or manipulate stored controller configuration and process data.

What this means

What could happen

An attacker could execute arbitrary commands on the myREX24V2 controller without authentication, potentially altering automation sequences, modifying process parameters, or stopping production. SQL injection could allow unauthorized access to controller configuration and process data.

Who's at risk

Water authorities and municipal utilities running Helmholz myREX24V2 or myREX24V2.virtual controllers for pump stations, wastewater treatment, or power distribution automation. Any facility using myREX for industrial process control or critical infrastructure SCADA functions.

How it could be exploited

An attacker with network access to the myREX24V2 web interface could send a crafted request to exploit OS command injection (CWE-78) or SQL injection (CWE-89) vulnerabilities, directly achieving unauthenticated remote code execution on the controller.

Prerequisites

Network access to myREX24V2 HTTP/HTTPS port
No authentication required

remotely exploitableno authentication requiredlow complexitycritical CVSS score (9.8)affects control systemsunauthenticated command execution

Exploitability

Unlikely to be exploited — EPSS score 0.2%

Affected products (4)

4 with fix

ProductAffected VersionsFix Status

myREX24V2≤ 2.19.32.19.4

myREX24V22.19.32.19.4

myREX24V2.virtual≤ 2.19.32.19.4

myREX24V2.virtual2.19.32.19.4

Remediation & Mitigation

0/1

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

myREX24V2

HOTFIXUpdate myREX24V2 and myREX24V2.virtual controllers to firmware version 2.19.4 or later

CVEs (2)

CVE-2026-32969 CVE-2026-32968

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/de39d90e-1638-4230-9eda-44b0ff22b7bc

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.