Helmholz: Multiple vulnerabilities in REX100/REX200/REX250

Plan PatchCVSS 8.4VDE-2026-059May 27, 2026

Helmholz

Attack path

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Two command injection vulnerabilities (CWE-78, CWE-1287) exist in Helmholz REX100/REX200/REX250 controllers. These flaws allow execution of arbitrary commands through unsanitized input without authentication, affecting REX100 versions up to 3.0.2 and REX200/250 versions up to 8.4.4.

What this means

What could happen

An attacker with local access to a Helmholz REX controller could execute arbitrary commands with the device's privileges, potentially altering automation logic, stopping production, or modifying control parameters that affect physical processes.

Who's at risk

Facilities operating Helmholz REX100, REX200, or REX250 programmable logic controllers (PLCs) used for process automation, manufacturing, or building management systems. This affects anyone using these controllers for local automation tasks.

How it could be exploited

The vulnerability is command injection—an attacker with local access to the REX controller could inject malicious commands through an input field or interface that the device processes without proper validation. The injected commands would execute with the device's privileges, giving the attacker control over the automation logic and connected equipment.

Prerequisites

Local access to the REX controller (physical console, USB, serial port, or local network)
No authentication required for the vulnerable interface

No authentication requiredLow complexity exploitationHigh CVSS score (8.4)Allows command injectionLocal access still enables full device compromise

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (4)

4 with fix

ProductAffected VersionsFix Status

REX100≤ 3.0.23.0.3

REX1003.0.23.0.3

REX200/250≤ 8.4.48.4.5

REX200/2508.4.48.4.5

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGRestrict local network access to the REX controller's management interface to trusted engineering workstations only

HARDENINGDisable or restrict local console access (USB, serial) to authorized personnel only

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

REX200/250

HOTFIXUpdate REX200/250 to firmware version 8.4.5 or later

REX100

HOTFIXUpdate REX100 to firmware version 3.0.3 or later

CVEs (2)

CVE-2026-40851 CVE-2026-40852

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/47a7d20d-6098-4c28-bafc-a9c76f318286

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.