{ "document": { "acknowledgments": [ { "organization": "CERT@VDE", "summary": "coordination", "urls": [ "https://certvde.com" ] }, { "names": [ "Moritz Abrell", "Christian Zäske" ], "organization": "SySS GmbH", "summary": "reporting", "urls": [ "https://www.syss.de" ] } ], "aggregate_severity": { "namespace": "https://www.first.org/cvss/v3.1/specification-document#Qualitative-Severity-Rating-Scale", "text": "Critical" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en-GB", "notes": [ { "category": "summary", "text": "Multiple vulnerabilities have been discovered in Helmholz myREX24V2/myREX24V2.virtual that could allow RCE, SQLi or information leakage.", "title": "Summary" }, { "category": "description", "text": "CVE-2026-33613 allows RCE resulting in full system compromise impacting confidentiality, integrity, and availability. CVE-2026-33614 and CVE-2026-33616 allow unauthenticated SQLi resulting in arbitrary read access to the complete database, while CVE-2026-33615 results in arbitrary write access to the user table. Lastly CVE-2026-33617 allows unauthenticated access to some sensitive data.", "title": "Impact" }, { "category": "description", "text": "Update the myREX24V2/myREX24V2.virtual instance to version 2.19.5.", "title": "Remediation" }, { "category": "legal_disclaimer", "text": "Helmholz shall not be held responsible for any indirect, incidental, special, or consequential damages arising from the distribution or use of this document, or from any actions taken in reliance upon its contents. The information contained herein is provided by Helmholz in good faith and free of charge. To the extent permitted under applicable law, such information does not constitute any representation, warranty, guarantee, contractual commitment, or legal obligation on the part of Helmholz. Users remain solely responsible for evaluating the suitability and impact of the information on their specific systems or installations prior to implementation. If any adverse effects are identified, the information must not be applied.", "title": "Disclaimer" } ], "publisher": { "category": "vendor", "contact_details": "psirt@helmholz.de", "name": "Helmholz GmbH & Co. KG", "namespace": "https://www.helmholz.de" }, "references": [ { "category": "self", "summary": "Security Incident Management SIM#2026-03 - PDF", "url": "https://advisories.helmholz.com/pdf/SIM2026-03.pdf" }, { "category": "external", "summary": "CERT@VDE Security Advisories for Helmholz", "url": "https://certvde.com/en/advisories/vendor/helmholz" }, { "category": "self", "summary": "VDE-2026-043: Helmholz: Multiple Vulnerabilities in myREX24V2/myREX24V2.virtual - HTML", "url": "https://certvde.com/en/advisories/VDE-2026-043" }, { "category": "self", "summary": "VDE-2026-043: Helmholz: Multiple Vulnerabilities in myREX24V2/myREX24V2.virtual - CSAF", "url": "https://helmholz.csaf-tp.certvde.com/.well-known/csaf/white/2026/vde-2026-043.json" } ], "title": "Helmholz: Multiple Vulnerabilities in myREX24V2/myREX24V2.virtual", "tracking": { "aliases": [ "VDE-2026-043", "SIM#2026-03" ], "current_release_date": "2026-04-13T11:00:00.000Z", "generator": { "date": "2026-04-13T11:35:08.245Z", "engine": { "name": "Secvisogram", "version": "2.5.47" } }, "id": "VDE-2026-043", "initial_release_date": "2026-04-13T11:00:00.000Z", "revision_history": [ { "date": "2026-04-13T11:00:00.000Z", "number": "1.0.0", "summary": "Initial revision." } ], "status": "final", "version": "1.0.0" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_family", "name": "myREX24V2", "product": { "name": "Helmholz myREX24V2", "product_id": "CSAFPID-11001", "product_identification_helper": { "cpe": "cpe:2.3:h:helmholz:myREX24V2:*:*:*:*:*:*:*:*" } } }, { "category": "product_name", "name": "myREX24V2.virtual", "product": { "name": "Helmholz myREX24V2.virtual", "product_id": "CSAFPID-11002", "product_identification_helper": { "cpe": "cpe:2.3:h:helmholz:myREX24V2virtual:*:*:*:*:*:*:*:*" } } } ], "category": "product_family", "name": "Hardware" }, { "branches": [ { "category": "product_version_range", "name": "vers:semver/<=2.19.4", "product": { "name": "Firmware <=2.19.4", "product_id": "CSAFPID-21001" } }, { "category": "product_version", "name": "2.19.5", "product": { "name": "Firmware 2.19.5", "product_id": "CSAFPID-21002", "product_identification_helper": { "cpe": "cpe:2.3:o:helmholz:myREX24V2_firmware:2.19.5:*:*:*:*:*:*:*" } } }, { "category": "product_version", "name": "2.19.4", "product": { "name": "Firmware 2.19.4", "product_id": "CSAFPID-21003", "product_identification_helper": { "cpe": "cpe:2.3:o:helmholz:myREX24V2_firmware:2.19.4:*:*:*:*:*:*:*" } } } ], "category": "product_family", "name": "Firmware" } ], "category": "vendor", "name": "Helmhol" } ], "product_groups": [ { "group_id": "CSAFGID-0001", "product_ids": [ "CSAFPID-31001", "CSAFPID-31002", "CSAFPID-31003", "CSAFPID-31004" ], "summary": "Affected products." }, { "group_id": "CSAFGID-0002", "product_ids": [ "CSAFPID-31005", "CSAFPID-31006" ], "summary": "Fixed products." } ], "relationships": [ { "category": "installed_on", "full_product_name": { "name": "Firmware <=2.19.4 installed on Helmholz myREX24V2", "product_id": "CSAFPID-31001" }, "product_reference": "CSAFPID-21001", "relates_to_product_reference": "CSAFPID-11001" }, { "category": "installed_on", "full_product_name": { "name": "Firmware <=2.19.4 installed on Helmholz myREX24V2.virtual", "product_id": "CSAFPID-31002" }, "product_reference": "CSAFPID-21001", "relates_to_product_reference": "CSAFPID-11002" }, { "category": "installed_on", "full_product_name": { "name": "Firmware 2.19.4 installed on Helmholz myREX24V2", "product_id": "CSAFPID-31003", "product_identification_helper": { "cpe": "cpe:2.3:o:helmholz:myREX24V2:2.19.4:*:*:*:*:*:*:*" } }, "product_reference": "CSAFPID-21003", "relates_to_product_reference": "CSAFPID-11001" }, { "category": "installed_on", "full_product_name": { "name": "Firmware 2.19.4 installed on Helmholz myREX24V2.virtual", "product_id": "CSAFPID-31004", "product_identification_helper": { "cpe": "cpe:2.3:o:helmholz:myREX24V2virtual:2.19.4:*:*:*:*:*:*:*" } }, "product_reference": "CSAFPID-21003", "relates_to_product_reference": "CSAFPID-11002" }, { "category": "installed_on", "full_product_name": { "name": "Firmware 2.19.5 installed on Helmholz myREX24V2", "product_id": "CSAFPID-31005", "product_identification_helper": { "cpe": "cpe:2.3:o:helmholz:myREX24V2:2.19.5:*:*:*:*:*:*:*" } }, "product_reference": "CSAFPID-21002", "relates_to_product_reference": "CSAFPID-11001" }, { "category": "installed_on", "full_product_name": { "name": "Firmware 2.19.5 installed on Helmholz myREX24V2.virtual", "product_id": "CSAFPID-31006", "product_identification_helper": { "cpe": "cpe:2.3:o:helmholz:myREX24V2virtual:2.19.5:*:*:*:*:*:*:*" } }, "product_reference": "CSAFPID-21002", "relates_to_product_reference": "CSAFPID-11002" } ] }, "vulnerabilities": [ { "cve": "CVE-2026-33613", "cwe": { "id": "CWE-78", "name": "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" }, "notes": [ { "audience": "all", "category": "description", "text": "Due to the improper neutralisation of special elements used in an OS command, a remote attacker can exploit an RCE vulnerability in the generateSrpArray function, resulting in full system compromise.\n\nThis vulnerability can only be attacked if the attacker has some other way to write arbitrary data to the user table.", "title": "CVE Description" } ], "product_status": { "fixed": [ "CSAFPID-31005", "CSAFPID-31006" ], "known_affected": [ "CSAFPID-31001", "CSAFPID-31002", "CSAFPID-31003", "CSAFPID-31004" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update the myREX24V2/myREX24V2.virtual instance to version 2.19.5.", "group_ids": [ "CSAFGID-0001" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "environmentalScore": 7.2, "environmentalSeverity": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "temporalScore": 7.2, "temporalSeverity": "HIGH", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "CSAFPID-31001", "CSAFPID-31002", "CSAFPID-31003", "CSAFPID-31004" ] } ], "title": "RCE in generateSrpArray" }, { "cve": "CVE-2026-33614", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" }, "notes": [ { "audience": "all", "category": "description", "text": "An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getinfo endpoint due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.", "title": "CVE Description" } ], "product_status": { "fixed": [ "CSAFPID-31005", "CSAFPID-31006" ], "known_affected": [ "CSAFPID-31001", "CSAFPID-31002", "CSAFPID-31003", "CSAFPID-31004" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update the myREX24V2/myREX24V2.virtual instance to version 2.19.5", "group_ids": [ "CSAFGID-0001" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "environmentalScore": 7.5, "environmentalSeverity": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "temporalScore": 7.5, "temporalSeverity": "HIGH", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" }, "products": [ "CSAFPID-31001", "CSAFPID-31002", "CSAFPID-31003", "CSAFPID-31004" ] } ], "title": "Unauthenticated SQLi in getinfo Endpoint" }, { "cve": "CVE-2026-33615", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" }, "notes": [ { "audience": "all", "category": "description", "text": "An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the setinfo endpoint due to improper neutralization of special elements in a SQL UPDATE command. This can result in a total loss of integrity and availability.", "title": "CVE Description" } ], "product_status": { "fixed": [ "CSAFPID-31005", "CSAFPID-31006" ], "known_affected": [ "CSAFPID-31001", "CSAFPID-31002", "CSAFPID-31003", "CSAFPID-31004" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update the myREX24V2/myREX24V2.virtual instance to version 2.19.5.", "group_ids": [ "CSAFGID-0001" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "NONE", "environmentalScore": 9.1, "environmentalSeverity": "CRITICAL", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "temporalScore": 9.1, "temporalSeverity": "CRITICAL", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "version": "3.1" }, "products": [ "CSAFPID-31001", "CSAFPID-31002", "CSAFPID-31003", "CSAFPID-31004" ] } ], "title": "Unauthenticated SQLi in setinfo Endpoint" }, { "cve": "CVE-2026-33616", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" }, "notes": [ { "audience": "all", "category": "description", "text": "An unauthenticated remote attacker can exploit an unauthenticated blind SQL Injection vulnerability in the mb24api endpoint due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality.", "title": "CVE Description" } ], "product_status": { "fixed": [ "CSAFPID-31005", "CSAFPID-31006" ], "known_affected": [ "CSAFPID-31001", "CSAFPID-31002", "CSAFPID-31003", "CSAFPID-31004" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update the myREX24V2/myREX24V2.virtual instance to version 2.19.5.", "group_ids": [ "CSAFGID-0001" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "environmentalScore": 7.5, "environmentalSeverity": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "temporalScore": 7.5, "temporalSeverity": "HIGH", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" }, "products": [ "CSAFPID-31001", "CSAFPID-31002", "CSAFPID-31003", "CSAFPID-31004" ] } ], "title": "Unauthenticated SQLi in mb24api Endpoint" }, { "cve": "CVE-2026-33617", "cwe": { "id": "CWE-497", "name": "Exposure of Sensitive System Information to an Unauthorized Control Sphere" }, "notes": [ { "audience": "all", "category": "description", "text": "An unauthenticated remote attacker can access a configuration file containing database credentials. This can result in a some loss of confidentiality, but there is no endpoint exposed to use these credentials.", "title": "CVE Description" } ], "product_status": { "fixed": [ "CSAFPID-31005", "CSAFPID-31006" ], "known_affected": [ "CSAFPID-31001", "CSAFPID-31002", "CSAFPID-31003", "CSAFPID-31004" ] }, "remediations": [ { "category": "vendor_fix", "details": "Update the myREX24V2/myREX24V2.virtual instance to version 2.19.5.", "group_ids": [ "CSAFGID-0001" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "environmentalScore": 5.3, "environmentalSeverity": "MEDIUM", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "temporalScore": 5.3, "temporalSeverity": "MEDIUM", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1" }, "products": [ "CSAFPID-31001", "CSAFPID-31002", "CSAFPID-31003", "CSAFPID-31004" ] } ], "title": "Unauthenticated information disclosure in data24 Endpoint" } ] }