Full Report
[Control systems] Helmholz security advisory (AV26-274)
Analysis Summary
# Vulnerability: Multiple Vulnerabilities in Helmholz myREX24V2
## CVE Details
- **CVE ID:** CVE-2026-23512, CVE-2026-23513, CVE-2026-23514 (Aggregated under VDE-2026-025)
- **CVSS Score:** 8.8 (High)
- **CWE:** CWE-79 (Cross-site Scripting), CWE-352 (Cross-Site Request Forgery), CWE-22 (Path Traversal)
## Affected Systems
- **Products:** Helmholz myREX24V2 and myREX24V2.virtual (VPN Portals)
- **Versions:** Firmware versions 2.19.3 and prior
- **Configurations:** Systems with web management interfaces exposed to untrusted networks or accessed by authenticated administrators while browsing other sites.
## Vulnerability Description
The Helmholz myREX24V2 portal contains multiple security flaws including path traversal and injection vulnerabilities. These flaws could allow an attacker to read sensitive files from the underlying operating system, execute malicious scripts in the context of a user's browser (XSS), or perform unauthorized actions on behalf of a legitimate administrator (CSRF) via the web-based management interface.
## Exploitation
- **Status:** No report of exploitation in the wild at the time of advisory; PoC exists internally.
- **Complexity:** Low
- **Attack Vector:** Network
## Impact
- **Confidentiality:** High (Potential access to configuration and system files)
- **Integrity:** High (Ability to modify portal settings or user sessions)
- **Availability:** Low (Possible disruption of portal services)
## Remediation
### Patches
- **Update to Version 2.20.0 or later:** Helmholz has released firmware version 2.20.0 which addresses these vulnerabilities. Users are advised to upgrade immediately.
### Workarounds
- **Network Segmentation:** Ensure the management interface of the myREX24V2 is not accessible from the public internet.
- **Access Control:** Restrict access to the portal to trusted IP addresses only.
- **Session Hygiene:** Administrators should log out of the portal immediately after use and avoid browsing other websites while an active session is open.
## Detection
- **Indicators of Compromise:** Unusual log entries in the web server logs, specifically directory traversal patterns (e.g., `../`, `..%2f`) or unexpected script tags in input fields.
- **Detection methods and tools:** Use of web application firewalls (WAF) to detect XSS and path traversal attempts. Routine audits of portal configuration changes.
## References
- **Vendor advisory:** hxxps[://]certvde[.]com/en/advisories/VDE-2026-025/
- **Canadian Centre for Cyber Security:** hxxps[://]www[.]cyber[.]gc[.]ca/en/alerts-advisories/control-systems-helmholz-security-advisory-av26-274