Warning: Multiple vulnerabilities in Helmholz REX100 & mbNET.mini routers leading to RCE, SQLi, XSS and Buffer Overflows, Patch Immediately!

Image
Decorative image
Gepubliceerd : 24/07/2025
  • Last update:
  • Affected software:
    → Helmholz Industrial Router REX100 < 2.3.3
    → MBConnectline mbNET.mini < 2.3.3
  • Type: Command Injection, Denial of Service, SQL Injection, Buffer Overflow, Cross-Site Scripting.
  • CVE/CVSS
    → CVE-2025-41674
    → CVE-2025-41675
    → CVE-2025-41676
    → CVE-2025-41677
    → CVE-2025-41678
    → CVE-2025-41679
    → CVE-2025-41680
    → CVE-2025-41681

Sources

https://cyberdanube.com/security-research/multiple-cyber-security-iot-vulnerabilities-in-industrial-router/

Risks

Successful exploitation of vulnerabilities in Helmholz REX100 and mbNET.mini allows:

-Authenticated command injection (CVE-2025-41674, CVE-2025-41673, CVE-2025-41675) enabling arbitrary root command execution via send_sms, diag, and communication.sh functions.

  • Authenticated SQL injection (CVE-2025-41678) permitting read and modification of the device’s SQLite database through cloud-status.sh.
  • Persistent XSS (CVE-2025-41681) allowing execution of malicious scripts in administrators’ browsers via cloud-configure.sh.
  • Unauthenticated buffer overflow (CVE-2025-41679) in confnet/serial and confnet/command functions, potentially causing service crashes or remote code execution.
  • Authenticated denial-of-service (CVE-2025-41677, CVE-2025-41676) in send_sms and send_mail functions, causing device unresponsiveness requiring reboot.

These vulnerabilities have significant impact on confidentiality, integrity, and availability.

The risk is substantial, as Helmholz REX100 and mbNET.mini devices are often deployed as public-facing edge systems, making them common targets for threat actors. Their exposure, combined with their role in critical industrial environments, substantially increases the likelihood and potential impact of exploitation - particularly given the presence of unauthenticated remote code execution and buffer overflow vulnerabilities.

Given the presence of multiple vulnerabilities, including both authenticated and unauthenticated attack vectors, there exists a credible risk of adversaries chaining these flaws to achieve escalated impact, such as remote code execution with elevated privileges or persistent access within ICS/OT environments.

As of 24-07-2025, there is no evidence of this vulnerability being actively exploited.

Description

In affected versions, Helmholz REX100 and mbNET.mini suffer from multiple critical flaws, including unauthenticated buffer overflows and authenticated command injection. These vulnerabilities allow attackers to:

  • Execute arbitrary code remotely, including as root.
  • Access and manipulate device configuration and data via SQL injection.
  • Disable the device through denial-of-service attacks.
  • Persistently compromise administrators via stored XSS.
  • Potentially pivot into ICS/OT networks, risking broader operational disruption.

Recommended Actions

Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.

Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity and ensure a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via https://ccb.belgium.be/en/cert/report-incident.

While patching appliances or software to the newest version may protect against future exploitation, it does not remediate historic compromise.

References

https://nvd.nist.gov/vuln/detail/CVE-2025-41673