Back to overview

WAGO: Unauthenticated command execution via Web-based-management UPDATE A

VDE-2023-007
Last update
05/22/2025 15:03
Published at
05/15/2023 10:00
Vendor(s)
WAGO GmbH & Co. KG
External ID
VDE-2023-007
CSAF Document
Download

Summary

The 'legal information' plugin of web-based-management contained a vulnerability which allowed execution of arbitrary commands with privileges of www user.
UPDATE A 15.06.2023 :

Removed PFC100 with FW23 as affected product and from solution
PFC200 with FW23 is only affected on 750-821x/xxx-xxx
Renamed "FW22 Patch 1" to "FW22 SP1" to match the versions of the download portal

Impact

Exploiting the vulnerability provides arbitrary command execution with privileges of the 'www' user. Via this flaw an attacker can change device configuration, create users or even take over the system.

Affected Product(s)

Model no. Product name Affected versions
751-9301 Compact Controller 100 Firmware FW22, Firmware FW23
752-8303/8000-002 Edge Controller Firmware FW20 <= FW22
750-81xx/xxx-xxx PFC100 Firmware FW22
750-821x/xxx-xxx, 750-82xx/xxx-xxx PFC200 Firmware FW20 <= FW22, Firmware FW23
762-5xxx Touch Panel 600 Advanced Line Firmware FW23
762-6xxx Touch Panel 600 Marine Line Firmware FW20 <= FW22
762-4xxx Touch Panel 600 Standard Line Firmware FW22

Vulnerabilities

Expand / Collapse all

Published
09/22/2025 14:57
Severity
9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Weakness
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)
Summary

In multiple products of WAGO a vulnerability allows an unauthenticated, remote attacker to create new users and change the device configuration which can result in unintended behaviour, Denial of Service and full system compromise.

References
cve.org | nvd.nist.gov

Mitigation

As general security measures strongly WAGO recommends:

Use general security best practices to protect systems from local and network attacks.
Do not allow direct access to the device from untrusted networks.
Update to the latest firmware according to the table in chapter solutions.
Industrial control systems (ICS) should not be directly accessible from the Internet, but should be protected by consistently applying the defense-in-depth strategy.

The BSI provides general information on securing ICS in the ICS Compendium (https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/ICS/ICS-Security_compendium.pdf).

Remediation

Wago recommends all affected users to update to the firmware version listed below:

Article No° Product Name Fixed Version
751-9301 Compact Controller CC100 FW24
752-8303/8000-002 Edge Controller FW22
752-8303/8000-002 Edge Controller FW24
750-81xx/xxx-xxx PFC100 FW22 SP1
750-82xx/xxx-xxx PFC200 FW22 SP1 l
750-821x/xxx-xxx PFC200 FW24
762-5xxx Touch Panel 600 Advanced Line FW22 SP1
762-5xxx Touch Panel 600 Advanced Line FW24
762-6xxx Touch Panel 600 Marine Line FW22 SP1
762-6xxx Touch Panel 600 Marine Line FW24
762-4xxx Touch Panel 600 Standard Line FW22 SP1
762-4xxx Touch Panel 600 Standard Line FW24

Revision History

Version Date Summary
1 05/15/2023 10:00 Initial revision.
2 05/22/2025 15:03 Fix: quotation mark