| Article No° | Product Name | Affected Version(s) |
|---|---|---|
| 751-9301 | Compact Controller CC100 | FW19 <= FW26 |
| 752-8303/8000-002 | Edge Controller | FW18 <= FW26 |
| 750-81xx/xxx-xxx | PFC100 | FW16 <= FW26 |
| 750-82xx/xxx-xxx | PFC200 | FW16 <= FW26 |
| 762-5xxx | Touch Panel 600 Advanced Line | FW16 <= FW26 |
| 762-6xxx | Touch Panel 600 Marine Line | FW16 <= FW26 |
| 762-4xxx | Touch Panel 600 Standard Line | FW16 <= FW26 |
An attacker with administrative privileges which can access sensitive files can additionally access them in an unintended, undocumented way.
On affected Wago products an remote attacker with administrative privileges can access files to which he has already access to through an undocumented local file inclusion. This access is logged in a different log file than expected.
User might not notice that files are accessed.
Mitigation
Remediation
We recommend all effected users to update to the firmware version listed below:
FW23
| Article No. | Product Name | Fixed version (ETA Q2/2024) |
| 751-9301 | Compact Controller CC100 | FW27 |
| 752-8303/8000-002 | Edge Controller | |
| 750-81xx/xxx-xxx | PFC100 | |
| 750-82xx/xxx-xxx | PFC200 | |
| 762-5xxx | Touch Panel 600 Advanced Line | |
| 762-6xxx | Touch Panel 600 Marine Line | |
| 762-4xxx | Touch Panel 600 Standard Line |
The vulnerability was reported by Floris Hendriks and Jeroen Wijenbergh from Radboud University.
Coordination done by CERT@VDE.