WAGO: Vulnerabilities in CODESYS Control

VDE-2024-072

Last update

12/03/2024 12:00

Published at

12/03/2024 12:00

Vendor(s)

WAGO GmbH & Co. KG

External ID

VDE-2024-072

CSAF Document

Download

Summary

The following firmware versions installed on several devices are vulnerable due to a vulnerability in the CODESYS Control V3 web server.

Impact

The configuration UI called web based management is part of the control runtime system and is also used for the visualization of running applications. Because the web server does not correctly check the return value of an underlying function, it reacts in a wrong way to specifically crafted TLS packets that are received via an HTTPS connection. This causes the web server to access invalid memory and the web server task to crash.

Affected Product(s)

Model no.	Product name	Affected versions
	Basic Controller 0750-8001	Firmware <=01.03.03 (FW3)
0751-9?01	Basic Controller 0751-8000	Firmware <=01.03.03 (FW3)

Vulnerabilities

Expand / Collapse all

Published

09/22/2025 14:58

Severity

7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Weakness

Improper Check for Unusual or Exceptional Conditions (CWE-754)

Summary

Receiving a specifically crafted TLS packet on an HTTPS connection causes the CODESYS web server to crash because the return value of an underlying function is not checked correctly for such unusual conditions.

References

cve.org | nvd.nist.gov

Remediation

Update to Firmware version 01.04.07 (FW4).

Revision History

Version	Date	Summary
1	12/03/2024 12:00	Initial revision.

WAGO: Vulnerabilities in CODESYS Control

Summary

Impact

Affected Product(s)

Vulnerabilities

CVE-2024-8175 7.5

Remediation

Revision History