Helmholz: Multiple Vulnerabilities in myREX24V2/myREX24V2.virtual

Plan PatchCVSS 9.1VDE-2026-043Apr 13, 2026

Helmholz

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple vulnerabilities in Helmholz myREX24V2 and myREX24V2.virtual (version 2.19.4 and earlier) allow remote code execution, SQL injection, and information disclosure. An attacker can execute arbitrary commands on the controller, modify database records containing process configuration or setpoints, or extract sensitive system information without authentication.

What this means

What could happen

An attacker could run arbitrary commands on the myREX24V2 controller, execute database attacks to modify configuration or process data, or extract sensitive information. This could lead to unauthorized changes to automation logic, halted operations, or exposure of system credentials.

Who's at risk

Water utilities, municipal electric systems, and industrial manufacturers using Helmholz myREX24V2 controllers for process automation and remote monitoring are affected. This includes any facility relying on these controllers for SCADA, PLC automation, or edge computing in production environments.

How it could be exploited

An attacker with network access to the myREX24V2 web interface or API can send specially crafted requests to exploit command injection (CWE-78), SQL injection (CWE-89), or information disclosure (CWE-497) vulnerabilities. No authentication is required; the attacker can exploit these flaws directly from an untrusted network.

Prerequisites

Network access to the myREX24V2 device (port 80/443 or device management interface)
No credentials required for exploitation

Remotely exploitableNo authentication requiredLow complexity attackCritical CVSS score (9.1)No patch currently available

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (4)

4 with fix

ProductAffected VersionsFix Status

z myREX24V2≤ 2.19.42.19.5

z myREX24V22.19.42.19.5

z myREX24V2.virtual≤ 2.19.42.19.5

z myREX24V2.virtual2.19.42.19.5

Remediation & Mitigation

0/3

Do now

0/1

WORKAROUNDRestrict network access to the myREX24V2 management interface using firewall rules; allow only trusted engineering workstations and HMI systems

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate myREX24V2 to version 2.19.5 or later

Long-term hardening

0/1

HARDENINGDisable remote access to myREX24V2 web interface if not required for operations; use local configuration only

CVEs (5)

CVE-2026-33613 CVE-2026-33614 CVE-2026-33615 CVE-2026-33616 CVE-2026-33617

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/9d9b8c2b-fb9b-4195-91a7-40740068ca92

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.