OTPulse

Helmholz: Authenticated unintended access to critical program parameters in myREX24V2/myREX24V2.virtual

Plan PatchCVSS 7.2VDE-2026-070Jun 23, 2026
Helmholz
Attack path
Attack VectorNetwork
Auth RequiredHigh
ComplexityLow
User InteractionNone needed
Summary

A vulnerability in myREX24V2 and myREX24V2.virtual allows an authenticated remote attacker to access a hidden configuration method to modify critical program parameters that should be restricted from user access.

What this means
What could happen
An authenticated attacker could bypass access controls and modify critical program parameters on the myREX24V2 controller, potentially altering equipment behavior, process setpoints, or causing operational disruptions.
Who's at risk
Manufacturers and operators using Helmholz myREX24V2 or myREX24V2.virtual controllers in automation systems, particularly those used in water treatment, power distribution, manufacturing, and building automation where process control parameters are critical to safe operation.
How it could be exploited
An attacker with valid credentials to the myREX24V2 device can connect remotely and exploit a hidden configuration method to access and change critical program parameters that are normally protected from modification.
Prerequisites
  • Valid user credentials for myREX24V2/myREX24V2.virtual device
  • Network access to the device management interface
  • Device running affected version (< 2.20.2)
remotely exploitableaffects equipment control logicrequires valid credentials but affects privileged operations
Exploitability
Unlikely to be exploited — EPSS score 0.3%
Affected products (4)
4 with fix
ProductAffected VersionsFix Status
myREX24V2< 2.20.22.20.2
myREX24V22.20.12.20.2
myREX24V2.virtual< 2.20.22.20.2
myREX24V2.virtual2.20.12.20.2
Remediation & Mitigation
0/3
Do now
0/2
myREX24V2
HARDENINGRestrict network access to the myREX24V2 management interface to trusted engineering workstations only using firewall rules
HARDENINGReview and audit user accounts with access to myREX24V2 devices and remove unnecessary credentials
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

myREX24V2
HOTFIXUpdate myREX24V2/myREX24V2.virtual to firmware version 2.20.2 or later
View full CERT@VDE advisory
API: /api/v1/advisories/baa0108a-7f90-44f4-9668-880993f2668e

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.

Helmholz: Authenticated unintended access to critical program parameters in myREX24V2/myREX24V2.virtual | CVSS 7.2 - OTPulse