Zurück zur Übersicht

WAGO: Vulnerabilities in WAGO Device Manager

VDE-2025-018
Last update
21.11.2025 13:00
Published at
16.06.2025 12:00
Vendor(s)
WAGO GmbH & Co. KG
External ID
VDE-2025-018
CSAF Document
Download

Summary

Vulnerabilities have been discovered in the WAGO Device Manager that allow any origin to access the server and set header values, as well as an endpoint that permits read access to the file system. The WAGO Device Manager is a software for configuring and parameterizing single WAGO products, which is included in the firmware. These vulnerabilities could be exploited by attackers to send requests and read server responses through crafted web applications or to access the file system.

Impact

The vulnerabilities in the WAGO Device Manager allow unauthorized access to server resources, data leakage, remote exploitation, and compromise of device integrity. Attackers can exploit these vulnerabilities to access sensitive information, perform malicious actions remotely, and identify additional weaknesses, potentially leading to data breaches and further security issues.

Affected Product(s)

Model no. Product name Affected versions
CC100 0751-9x01 WAGO Firmware <04.07.01 (FW29), Custom Firmware <04.07.01 (70)
0752-8303/8000-0002 Edge Controller 0752-8303/8000-0002 WAGO Firmware <04.07.01 (FW29), Custom Firmware <04.07.01 (70)
PFC100 G1 0750-810x/xxxx-xxxx WAGO Firmware <3.10.11 (FW22 Patch 2)
PFC100 G2 0750-811x-xxxx-xxxx WAGO Firmware <04.07.01 (FW29), Custom Firmware <04.07.01 (70)
PFC200 G1 750-820x-xxx-xxx WAGO Firmware <3.10.11 (FW22 Patch 2)
PFC200 G2 750-821x-xxx-xxx Custom Firmware <04.07.01 (70), WAGO Firmware <04.07.01 (FW29)
TP600 0762-420x/8000-000x Custom Firmware <04.07.01 (70), WAGO Firmware <04.07.01 (FW29)
TP600 0762-430x/8000-000x Custom Firmware <04.07.01 (70), WAGO Firmware <04.07.01 (FW29)
TP600 0762-520x/8000-000x Custom Firmware <04.07.01 (70), WAGO Firmware <04.07.01 (FW29)
TP600 0762-530x/8000-000x WAGO Firmware <04.07.01 (FW29), Custom Firmware <04.07.01 (70)
TP600 0762-620x/8000-000x Custom Firmware <04.07.01 (70), WAGO Firmware <04.07.01 (FW29)
TP600 0762-630x/8000-000x WAGO Firmware <04.07.01 (FW29), Custom Firmware <04.07.01 (70)

Vulnerabilities

Expand / Collapse all

Published
21.11.2025 13:31
Severity
6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Weakness
Permissive Cross-domain Policy with Untrusted Domains (CWE-942)
References
cve.org | nvd.nist.gov

Published
21.11.2025 13:31
Severity
4.9 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Weakness
Missing Authentication for Critical Function (CWE-306)
References
cve.org | nvd.nist.gov

Remediation

Update to Firmware version 04.07.01 (FW29) or 03.10.11 (FW22 Patch 2). For the latest Custom Firmware please contact the WAGO support.

Acknowledgments

WAGO GmbH & Co. KG thanks the following parties for their efforts:

Revision History

Version Date Summary
1.0.0 16.06.2025 12:00 Initial release.
1.1.0 04.07.2025 12:00 Removed incorrect custom firmware versions.
1.1.1 07.10.2025 10:00 Fixed a typo in the description for CVE-2025-25264
1.2.0 21.11.2025 13:00 The two CVE descriptions and CVSS scores were edited.