Summary
A vulnerability has been discovered in the fdtCONTAINER component and application by M&M Software GmbH.
As this software is part of the Weidmüller FDT/DTM Software with WI Manager, this Weidmueller software is affected by the above vulnerability as well.
The fdtCONTAINER component exchanges binary data blobs with the WI Manager. The WI Manager saves these binary data blobs into a project file.
If an attacker gets write access to the project file, the project file can be manipulated to contain malicious code.
Impact
If a manipulated project file is loaded by the WI Manager, malicious code can get executed with the user rights of the WI Manager without notice.
For more information please refer to:
VDE-2020-048: M&M Software (WAGO): Deserialisation of untrusted data in fdtContainer
Affected Product(s)
| Model no. | Product name | Affected versions |
|---|---|---|
| WI Manager <=2.5.1 | WI Manager <=2.5.1 |
Vulnerabilities
Expand / Collapse allM&M Software fdtCONTAINER Component in versions below 3.5.20304.x and between 3.6 and 3.6.20304.x is vulnerable to deserialization of untrusted data in its project storage.
Mitigation
- Exchange project data only via secure exchange services
- Use appropriate means to protect the project storage from unauthorized manipulation
- Do not open project data from an unknown source
- Reduce the user rights of the WI Manager to the necessary minimum
Revision History
| Version | Date | Summary |
|---|---|---|
| 1 | 01/20/2021 14:32 | Initial revision. |
| 2 | 05/14/2025 14:28 | Fix: version space, added distribution |