WAGO: Vulnerabilities in WAGO Device Manager

VDE-2025-018

Last update

07/04/2025 12:00

Published at

06/16/2025 12:00

Vendor(s)

WAGO GmbH & Co. KG

External ID

VDE-2025-018

CSAF Document

Download

Summary

Vulnerabilities have been discovered in the WAGO Device Manager that allow any origin to access the server and set header values, as well as an endpoint that permits read access to the file system. The WAGO Device Manager is a software for configuring and parameterizing single WAGO products, which is included in the firmware. These vulnerabilities could be exploited by attackers to send requests and read server responses through crafted web applications or to access the file system.

Update Version 1.1.0, 04.07.2025: Removed incorrect custom firmware versions.

Impact

The vulnerabilities in the WAGO Device Manager allow unauthorized access to server resources, data leakage, remote exploitation, and compromise of device integrity. Attackers can exploit these vulnerabilities to access sensitive information, perform malicious actions remotely, and identify additional weaknesses, potentially leading to data breaches and further security issues.

Affected Product(s)

Model no.	Product name	Affected versions
	WAGO CC100 0751-9x01	WAGO Firmware <04.07.01 (FW29), Custom Firmware <04.07.01 (70)
0752-8303/8000-0002	WAGO Edge Controller 0752-8303/8000-0002	Custom Firmware <04.07.01 (70), WAGO Firmware <04.07.01 (FW29)
	WAGO PFC100 G1 0750-810x/xxxx-xxxx	WAGO Firmware <3.10.11 (FW22 Patch 2)
	WAGO PFC100 G2 0750-811x-xxxx-xxxx	Custom Firmware <04.07.01 (70), WAGO Firmware <04.07.01 (FW29)
	WAGO PFC200 G1 750-820x-xxx-xxx	WAGO Firmware <3.10.11 (FW22 Patch 2)
	WAGO PFC200 G2 750-821x-xxx-xxx	Custom Firmware <04.07.01 (70), WAGO Firmware <04.07.01 (FW29)
	WAGO TP600 0762-420x/8000-000x	WAGO Firmware <04.07.01 (FW29), Custom Firmware <04.07.01 (70)
	WAGO TP600 0762-430x/8000-000x	Custom Firmware <04.07.01 (70), WAGO Firmware <04.07.01 (FW29)
	WAGO TP600 0762-520x/8000-000x	Custom Firmware <04.07.01 (70), WAGO Firmware <04.07.01 (FW29)
	WAGO TP600 0762-530x/8000-000x	WAGO Firmware <04.07.01 (FW29), Custom Firmware <04.07.01 (70)
	WAGO TP600 0762-620x/8000-000x	WAGO Firmware <04.07.01 (FW29), Custom Firmware <04.07.01 (70)
	WAGO TP600 0762-630x/8000-000x	WAGO Firmware <04.07.01 (FW29), Custom Firmware <04.07.01 (70)

Vulnerabilities

Expand / Collapse all

Published

09/22/2025 14:57

Severity

8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Weakness

Permissive Cross-domain Policy with Untrusted Domains (CWE-942)

References

cve.org | nvd.nist.gov

Published

09/22/2025 14:57

Severity

7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Weakness

Missing Authentication for Critical Function (CWE-306)

References

cve.org | nvd.nist.gov

Remediation

Update to Firmware version 04.07.01 (FW29) or 03.10.11 (FW22 Patch 2). For the latest Custom Firmware please contact the WAGO support.

Revision History

Version	Date	Summary
1.0.0	06/16/2025 12:00	Initial release.
1.1.0	07/04/2025 12:00	Removed incorrect custom firmware versions.