Back to overview

WAGO: e!Cockpit cleartext communication and hardcoded key

VDE-2020-004
Last update
05/14/2025 15:00
Published at
03/09/2020 10:00
Vendor(s)
WAGO GmbH & Co. KG
External ID
VDE-2020-004
CSAF Document
Download

Summary

The communication between e!Cockpit and the programmable logic controller is not encrypted. The broken cryptographic algorithm allows an attacker to decode the password for the e!Cockpit communication and with this to manipulate the application.

The password used by e!Cockpit for authentication against the PLC is encrypted with a hard-coded key. An attacker is able to decrypt the password by listening to the network traffic.

Impact

The vulnerabilities allow an attacker who has access to the network communication between e!Cockpit and the PLC to listen, manipulate, or drop any information they choose from the corresponding communication.

Affected Product(s)

Model no. Product name Affected versions
750-81xx/xxx-xxx 750-81xx/xxx-xxx Firmware >=FW04
750-82xx/xxx-xxx 750-82xx/xxx-xxx Firmware >=FW04
762-4xxx 762-4xxx Firmware >=FW04
762-5xxx 762-5xxx Firmware >=FW04
762-6xxx 762-6xxx Firmware >=FW04

Vulnerabilities

Expand / Collapse all

Published
09/22/2025 14:58
Severity
7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Weakness
Cleartext Transmission of Sensitive Information (CWE-319)
Summary

A cleartext transmission vulnerability exists in the network communication functionality of WAGO e!Cockpit version 1.5.1.1. An attacker with access to network traffic can easily intercept, interpret, and manipulate data coming from, or destined for e!Cockpit. This includes passwords, configurations, and binaries being transferred to endpoints.

References
cve.org | nvd.nist.gov

Published
09/22/2025 14:58
Severity
5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Weakness
Use of a Broken or Risky Cryptographic Algorithm (CWE-327)
Summary

A hard-coded encryption key vulnerability exists in the authentication functionality of WAGO e!Cockpit version 1.5.1.1. An attacker with access to communications between e!Cockpit and CoDeSyS Gateway can trivially recover the password of any user attempting to log in, in plain text.

References
cve.org | nvd.nist.gov

Mitigation

  • Follow the instructions in WAGO's handbook Cyber Security for Controller
  • Restrict network access to the device.
  • Do not directly connect the device to the internet
  • Use an encrypted VPN connection to the device
  • Disable unused TCP/UDP-ports

Typically the e!Cockpit communication is only needed during commissioning of the programmable logic controller and not during normal operations. WAGO highly recommends disabling the TCP Port 11740 and UDP Port 1740 after commissioning or using an encrypted VPN connection to the device.

Revision History

Version Date Summary
1 03/09/2020 10:00 initial revision
2 04/10/2025 15:00 Fixed namespace URL
3 05/14/2025 15:00 Fix: added distribution