Zurück zur Übersicht

WAGO: Web-Based Management Authentication Vulnerabilities

VDE-2020-006
Last update
14.05.2025 14:28
Published at
09.03.2020 12:00
Vendor(s)
WAGO GmbH & Co. KG
External ID
VDE-2020-006
CSAF Document
Download

Summary

With special crafted requests it is possible to get sensitive information, in this case the password hashes, by measuring response delay. With a substantial amount of time this data can be used to calculate the passwords of the Web-Based Management users. In case of CVE 2019-5134, the password salt can also be extracted.

Impact

These vulnerabilities allow an experienced attacker who has access to the WBM to reconstruct the passwords hashes of the WBM users by sending specifically constructed requests.

Affected Product(s)

Model no. Product name Affected versions
750-81xx/xxx-xxx Hardware PFC100 Software FW05<=FW14
750-82xx/xxx-xxx Hardware PFC200 Software FW05<=FW14
762-4xxx, 762-5xxx, 762-6xxx Hardware Touch Panel 600 Software FW05<=FW14

Vulnerabilities

Expand / Collapse all

Published
22.09.2025 14:58
Severity
7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Weakness
Exposure of Sensitive Information to an Unauthorized Actor (CWE-200)
References
cve.org | nvd.nist.gov

Published
22.09.2025 14:58
Severity
5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Weakness
Observable Discrepancy (CWE-203)
References
cve.org | nvd.nist.gov

Revision History

Version Date Summary
1 09.03.2020 10:05 Initial revision.
2 06.11.2024 12:27 Fix: correct certvde domain, added self-reference
3 14.05.2025 14:28 Fix: firmware category, version space, added distribution