Summary
WAGO controllers have always been designed for easy connection to IT infrastructure. Even controllers from legacy product lines support encryption standards to ensure secure communication.
With special crafted requests it is possible to bring the device out of operation.
All listed devices are vulnerable for this denial of service attack.
Impact
This vulnerability allows an attacker who has access to the device to send a series of maliciously constructed packets which can bring the device out of operation. The device needs a power on reset to go back to normal operation.
Affected Product(s)
| Model no. | Product name | Affected versions |
|---|---|---|
| 750-831/xxx-xxx | Firmware <=FW15 | |
| 750-880/xxx-xxx | Firmware <=FW15 | |
| 750-881 | Firmware <=FW15 | |
| 750-889 | Firmware <=FW15 |
Vulnerabilities
Expand / Collapse allMissing Release of Resource after Effective Lifetime vulnerability in OpenSSL implementation of WAGO 750-831/xxx-xxx, 750-880/xxx-xxx, 750-881, 750-889 in versions FW4 up to FW15 allows an unauthenticated attacker to cause DoS on the device.
Mitigation
- Restrict network access to the device.
- Do not directly connect the device to the internet
- Disable unused TCP/UDP-ports
- Disable Web Based Management ports 80/443 after configuration phase.
Remediation
Update the device to the latest FW version.
Revision History
| Version | Date | Summary |
|---|---|---|
| 1 | 08/31/2021 09:00 | Initial revision. |
| 2 | 05/14/2025 14:53 | Fix: version space, added distribution |