VDE-2026-025

Vulnerability from csaf_helmholzgmbhcokg - Published: 2026-03-23 12:00 - Updated: 2026-03-23 12:00
Summary
Helmholz: Multiple Vulnerabilities in myREX24V2 / myREX24V2.virtual
Severity
Critical
Notes
Summary: Multiple vulnerabilities have been discovered in Helmholz myREX24V2 / myREX24V2.virtual that could allow unauthenticated RCE or SQLi.
Impact: CVE-2026-32968 allows unauthenticated RCE resulting in full system compromise impacting confidentiality, integrity, and availability, while CVE-2026-32969 allows unauthenticated SQLi resulting in arbitrary read access to the complete database.
Remediation: Update the myREX24V2/myREX24V2.virtual instance to version 2.19.4.
Disclaimer: Helmholz shall not be held responsible for any indirect, incidental, special, or consequential damages arising from the distribution or use of this document, or from any actions taken in reliance upon its contents. The information contained herein is provided by Helmholz in good faith and free of charge. To the extent permitted under applicable law, such information does not constitute any representation, warranty, guarantee, contractual commitment, or legal obligation on the part of Helmholz. Users remain solely responsible for evaluating the suitability and impact of the information on their specific systems or installations prior to implementation. If any adverse effects are identified, the information must not be applied.
CVE-2026-32968

Due to the improper neutralisation of special elements used in an OS command, an unauthenticated remote attacker can exploit an RCE vulnerability in the com_mb24sysapi module, resulting in full system compromise. This vulnerability is a variant attack for CVE-2020-10383.

9.8 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Vendor Fix Update the myREX24V2 / myREX24V2.virtual instance to version 2.19.4.
CVE-2026-32969

An unauthenticated remote attacker can exploit a Pre-Auth blind SQL Injection vulnerability in the userinfo endpoint’s authentication method due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.

7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Vendor Fix Update the myREX24V2 / myREX24V2.virtual instance to version 2.19.4.
References
Acknowledgments
CERT@VDE certvde.com
SySS GmbH Moritz Abrell Christian Zäske www.syss.de
To clipboard 

{
  "document": {
    "acknowledgments": [
      {
        "organization": "CERT@VDE",
        "summary": "coordination",
        "urls": [
          "https://certvde.com"
        ]
      },
      {
        "names": [
          "Moritz Abrell",
          "Christian Z\u00e4ske"
        ],
        "organization": "SySS GmbH",
        "summary": "reporting",
        "urls": [
          "https://www.syss.de"
        ]
      }
    ],
    "aggregate_severity": {
      "namespace": "https://www.first.org/cvss/v3.1/specification-document#Qualitative-Severity-Rating-Scale",
      "text": "Critical"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en-GB",
    "notes": [
      {
        "category": "summary",
        "text": "Multiple vulnerabilities have been discovered in Helmholz myREX24V2 / myREX24V2.virtual that could allow unauthenticated RCE or SQLi.",
        "title": "Summary"
      },
      {
        "category": "description",
        "text": "CVE-2026-32968 allows unauthenticated RCE resulting in full system compromise impacting confidentiality, integrity, and availability, while CVE-2026-32969 allows unauthenticated SQLi resulting in arbitrary read access to the complete database.",
        "title": "Impact"
      },
      {
        "category": "description",
        "text": "Update the myREX24V2/myREX24V2.virtual instance to version 2.19.4.",
        "title": "Remediation"
      },
      {
        "category": "legal_disclaimer",
        "text": "Helmholz shall not be held responsible for any indirect, incidental, special, or consequential damages arising from the distribution or use of this document, or from any actions taken in reliance upon its contents. The information contained herein is provided by Helmholz in good faith and free of charge. To the extent permitted under applicable law, such information does not constitute any representation, warranty, guarantee, contractual commitment, or legal obligation on the part of Helmholz. Users remain solely responsible for evaluating the suitability and impact of the information on their specific systems or installations prior to implementation. If any adverse effects are identified, the information must not be applied.",
        "title": "Disclaimer"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "psirt@helmholz.de",
      "name": "Helmholz GmbH \u0026 Co. KG",
      "namespace": "https://www.helmholz.de"
    },
    "references": [
      {
        "category": "external",
        "summary": "CERT@VDE Security Advisories for Helmholz",
        "url": "https://certvde.com/en/advisories/vendor/helmholz"
      },
      {
        "category": "self",
        "summary": "VDE-2026-025: Helmholz: Multiple Vulnerabilities in myREX24V2 / myREX24V2.virtual - HTML",
        "url": "https://certvde.com/en/advisories/VDE-2026-025"
      },
      {
        "category": "self",
        "summary": "VDE-2026-025: Helmholz: Multiple Vulnerabilities in myREX24V2 / myREX24V2.virtual - CSAF",
        "url": "https://helmholz.csaf-tp.certvde.com/.well-known/csaf/white/2026/vde-2026-025.json"
      }
    ],
    "title": "Helmholz: Multiple Vulnerabilities in myREX24V2 / myREX24V2.virtual",
    "tracking": {
      "aliases": [
        "VDE-2026-025",
        "SIM#2026-02"
      ],
      "current_release_date": "2026-03-23T12:00:00.000Z",
      "generator": {
        "date": "2026-03-23T10:34:42.586Z",
        "engine": {
          "name": "Secvisogram",
          "version": "2.5.44"
        }
      },
      "id": "VDE-2026-025",
      "initial_release_date": "2026-03-23T12:00:00.000Z",
      "revision_history": [
        {
          "date": "2026-03-23T12:00:00.000Z",
          "number": "1.0.0",
          "summary": "Initial revision."
        }
      ],
      "status": "final",
      "version": "1.0.0"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_family",
                "name": "myREX24V2",
                "product": {
                  "name": "Helmholz myREX24V2",
                  "product_id": "CSAFPID-11001",
                  "product_identification_helper": {
                    "cpe": "cpe:2.3:h:helmholz:myREX24V2:*:*:*:*:*:*:*:*"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "myREX24V2.virtual",
                "product": {
                  "name": "Helmholz myREX24V2.virtual",
                  "product_id": "CSAFPID-11002",
                  "product_identification_helper": {
                    "cpe": "cpe:2.3:h:helmholz:myREX24V2virtual:*:*:*:*:*:*:*:*"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Hardware"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:semver/\u003c=2.19.3",
                "product": {
                  "name": "Firmware \u003c=2.19.3",
                  "product_id": "CSAFPID-21001"
                }
              },
              {
                "category": "product_version",
                "name": "2.19.4",
                "product": {
                  "name": "Firmware 2.19.4",
                  "product_id": "CSAFPID-21002",
                  "product_identification_helper": {
                    "cpe": "cpe:2.3:o:helmholz:myrex24V2_firmware:2.19.4:*:*:*:*:*:*:*"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "2.19.3",
                "product": {
                  "name": "Firmware 2.19.3",
                  "product_id": "CSAFPID-21003",
                  "product_identification_helper": {
                    "cpe": "cpe:2.3:o:helmholz:myrex24v2_firmware:2.19.3:*:*:*:*:*:*:*"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Firmware"
          }
        ],
        "category": "vendor",
        "name": "Helmholz"
      }
    ],
    "product_groups": [
      {
        "group_id": "CSAFGID-0001",
        "product_ids": [
          "CSAFPID-31001",
          "CSAFPID-31002",
          "CSAFPID-31003",
          "CSAFPID-31004"
        ],
        "summary": "Affected products."
      },
      {
        "group_id": "CSAFGID-0002",
        "product_ids": [
          "CSAFPID-31005",
          "CSAFPID-31006"
        ],
        "summary": "Fixed products."
      }
    ],
    "relationships": [
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware \u003c=2.19.3 installed on Helmholz myREX24V2",
          "product_id": "CSAFPID-31001"
        },
        "product_reference": "CSAFPID-21001",
        "relates_to_product_reference": "CSAFPID-11001"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware \u003c=2.19.3 installed on Helmholz myREX24V2.virtual",
          "product_id": "CSAFPID-31002"
        },
        "product_reference": "CSAFPID-21001",
        "relates_to_product_reference": "CSAFPID-11002"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware 2.19.3 installed on Helmholz myREX24V2",
          "product_id": "CSAFPID-31003"
        },
        "product_reference": "CSAFPID-21003",
        "relates_to_product_reference": "CSAFPID-11001"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware 2.19.3 installed on Helmholz myREX24V2.virtual",
          "product_id": "CSAFPID-31004"
        },
        "product_reference": "CSAFPID-21003",
        "relates_to_product_reference": "CSAFPID-11002"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware 2.19.4 installed on Helmholz myREX24V2",
          "product_id": "CSAFPID-31005"
        },
        "product_reference": "CSAFPID-21002",
        "relates_to_product_reference": "CSAFPID-11001"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware 2.19.4 installed on Helmholz myREX24V2.virtual",
          "product_id": "CSAFPID-31006"
        },
        "product_reference": "CSAFPID-21002",
        "relates_to_product_reference": "CSAFPID-11002"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-32968",
      "cwe": {
        "id": "CWE-78",
        "name": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)"
      },
      "notes": [
        {
          "audience": "all",
          "category": "description",
          "text": "Due to the improper neutralisation of special elements used in an OS command, an unauthenticated remote attacker can exploit an RCE vulnerability in the com_mb24sysapi module, resulting in full system compromise. This vulnerability is a variant attack for CVE-2020-10383.",
          "title": "CVE Description"
        }
      ],
      "product_status": {
        "fixed": [
          "CSAFPID-31005",
          "CSAFPID-31006"
        ],
        "known_affected": [
          "CSAFPID-31001",
          "CSAFPID-31002",
          "CSAFPID-31003",
          "CSAFPID-31004"
        ]
      },
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "Update the myREX24V2 / myREX24V2.virtual instance to version 2.19.4.",
          "group_ids": [
            "CSAFGID-0001"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "environmentalScore": 9.8,
            "environmentalSeverity": "CRITICAL",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "temporalScore": 9.8,
            "temporalSeverity": "CRITICAL",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-31001",
            "CSAFPID-31002",
            "CSAFPID-31003",
            "CSAFPID-31004"
          ]
        }
      ],
      "title": "Unauthenticated RCE in com_mb24sysapi"
    },
    {
      "cve": "CVE-2026-32969",
      "cwe": {
        "id": "CWE-89",
        "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)"
      },
      "notes": [
        {
          "audience": "all",
          "category": "description",
          "text": "An unauthenticated remote attacker can exploit a Pre-Auth blind SQL Injection vulnerability in the userinfo endpoint\u2019s authentication method due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.",
          "title": "CVE Description"
        }
      ],
      "product_status": {
        "fixed": [
          "CSAFPID-31005",
          "CSAFPID-31006"
        ],
        "known_affected": [
          "CSAFPID-31001",
          "CSAFPID-31002",
          "CSAFPID-31003",
          "CSAFPID-31004"
        ]
      },
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "Update the myREX24V2 / myREX24V2.virtual instance to version 2.19.4.",
          "group_ids": [
            "CSAFGID-0001"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "environmentalScore": 7.5,
            "environmentalSeverity": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "temporalScore": 7.5,
            "temporalSeverity": "HIGH",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-31001",
            "CSAFPID-31002",
            "CSAFPID-31003",
            "CSAFPID-31004"
          ]
        }
      ],
      "title": "Pre-Auth Blind SQLi in userinfo Endpoint"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.