Back to overview

WAGO: Multiple Vulnerabilities in the Web-Based Management Interface

VDE-2021-013
Last update
05/14/2025 14:28
Published at
05/05/2021 10:54
Vendor(s)
WAGO GmbH & Co. KG
External ID
VDE-2021-013
CSAF Document
Download

Summary

The Web-Based Management (WBM) of WAGOs industrial managed switches is typically used for administration, commissioning and updates.

The reported vulnerabilities allow an attacker with access to the device and the Web-Based Management, to install malware, access to password hashes and create user with admin credentials.

Impact

By exploiting the described vulnerabilities, the attacker potentially is able to manipulate or to disrupt the device.

Affected Product(s)

Model no. Product name Affected versions
2688394 0852-1305 Firmware <=V1.1.7.S0
2688459 0852-1305/000-001 Firmware <=V1.0.4.S0
2702177 0852-1505 Firmware <=V1.1.6.S0
2701949 0852-1505/000-001 Firmware <=V1.0.4.S0
Hardware 0852-0303 (HW<3)* Firmware <=V1.2.3.S0
Hardware 0852-0303 (HW>=3)* Firmware <=V1.2.3.S0

Vulnerabilities

Expand / Collapse all

Published
09/22/2025 14:57
Severity
9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Weakness
Missing Authentication for Critical Function (CWE-306)
Summary

In multiple managed switches by WAGO in different versions without authorization and with specially crafted packets it is possible to create users.

References
cve.org | nvd.nist.gov

Published
09/22/2025 14:57
Severity
7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Weakness
Insufficiently Protected Credentials (CWE-522)
Summary

In multiple managed switches by WAGO in different versions it is possible to read out the password hashes of all Web-based Management users.

References
cve.org | nvd.nist.gov

Published
09/22/2025 14:57
Severity
7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Weakness
Cleartext Storage of Sensitive Information (CWE-312)
Summary

In multiple managed switches by WAGO in different versions the webserver cookies of the web based UI contain user credentials.

References
cve.org | nvd.nist.gov

Published
09/22/2025 14:57
Severity
6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Weakness
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)
Summary

In multiple managed switches by WAGO in different versions an attacker may trick a legitimate user to click a link to inject possible malicious code into the Web-Based Management.

References
cve.org | nvd.nist.gov

Published
09/22/2025 14:57
Severity
5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Weakness
Incorrect Permission Assignment for Critical Resource (CWE-732)
Summary

In multiple managed switches by WAGO in different versions special crafted requests can lead to cookies being transferred to third parties.

References
cve.org | nvd.nist.gov

Published
09/22/2025 14:57
Severity
5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Weakness
Exposure of Sensitive Information to an Unauthorized Actor (CWE-200)
Summary

In multiple managed switches by WAGO in different versions the activated directory listing provides an attacker with the index of the resources located inside the directory.

References
cve.org | nvd.nist.gov

Mitigation

  • Disable the web server of the device.
  • Use the CLI interface of the device.
  • Update to the latest firmware.
  • Restrict network access to the device.
  • Do not directly connect the device to the internet.

Remediation

The Web-Based Management is only needed during installation and commissioning, not during normal operations. It is recommended to disable the web server after commissioning. The Command Line Interface (CLI) is an alternative for commissioning the device. This is the easiest and securest way to protect your device from the listed vulnerabilities.

Regardless of the action described above, the vulnerabilities are fixed with following firmware releases.

Item Number FW Version
0852-0303 (HW<3)* V1.2.5.S0
0852-0303 (HW>=3)* V1.2.3.S1
0852-1305 V1.1.8.S0
0852-1505 V1.1.7.S0
0852-1305/000-001 V1.1.4.S0
0852-1505/000-001 V1.1.4.S0

Revision History

Version Date Summary
1 06/23/2021 14:16 Initial revision.
2 05/14/2025 14:28 Fix: version space, added distribution