VDE-2019-017
Last update
05/14/2025 14:28
Published at
09/18/2019 13:25
Vendor(s)
WAGO GmbH & Co. KG
External ID
VDE-2019-017
CSAF Document
Summary
The reported vulnerability allows a remote attacker to check paths and file names that are used in filesystem operations.
Update, 18.9.2019, 18:30
- fixed typo in modelname, replaced PCF with PFC.
Impact
The vulnerability allows an attacker to check the existence of files via specially crafted HTTP requests. This can be potentially used to identify installed software and leak of sensitive data (e.g. session data stored in the file system).
Affected Product(s)
| Model no. | Product name | Affected versions |
|---|---|---|
| PFC100 750-81xx/xxx-xxx | Firmware <FW12 | |
| PFC200 750-82xx/xxx-xxx | Firmware <FW12 |
Vulnerabilities
Expand / Collapse all
Published
09/22/2025 14:57
Severity
Weakness
Externally Controlled Reference to a Resource in Another Sphere (CWE-610)
Summary
Information Disclosure is possible on WAGO Series PFC100 and PFC200 devices before FW12 due to improper access control. A remote attacker can check for the existence of paths and file names via crafted HTTP requests.
References
Mitigation
- Restrict network access to the web server.
- Restrict network access to the device.
- Do not directly connect the device to the internet.
Remediation
Update your device to the latest firmware (>= FW12).
Revision History
| Version | Date | Summary |
|---|---|---|
| 1 | 09/18/2019 13:25 | Initial revision. |
| 2 | 09/18/2019 18:30 | Fixed typo. |
| 3 | 11/06/2024 12:27 | Fix: correct certvde domain, added alias, added self-reference |
| 4 | 05/14/2025 14:28 | Fix: version space, added distribution |