Zurück zur Übersicht

WAGO: Web Based Management - Code Execution Vulnerability

VDE-2020-015
Last update
10.06.2020 10:00
Published at
10.06.2020 10:00
Vendor(s)
WAGO GmbH & Co. KG
External ID
VDE-2020-015
CSAF Document
Download

Summary

The Web-Based Management (WBM) of WAGOs programmable logic controller (PLC) is typically used for administration, commissioning and updates.

An attacker needs an authorized login with administrative privileges on the device in order to exploit the herein mentioned vulnerability.

An authenticated attacker who has access to the Web Based Management (WBM) could use the software upload functionality to install software package with root privileges. This fact could be potentially used to manipulate the device or to get control of the device.

Impact

Based on the described issue, an authenticated attacker is able to install software packages with extended rights. This is an intended functionality to provide the user with a convenient way to install software on the device.

Affected Product(s)

Model no. Product name Affected versions
762-4xxx 762-4xxx Firmware <03.04.10(FW16)
762-5xxx 762-5xxx Firmware <03.04.10(FW16)
762-6xxx 762-6xxx Firmware <03.04.10(FW16)
750-81xx/xxx-xxx PFC100 Firmware <03.04.10(FW16)
750-82xx/xxx-xxx PFC200 Firmware <03.04.10(FW16)

Vulnerabilities

Expand / Collapse all

Published
22.09.2025 14:57
Severity
9.1 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Weakness
Improper Privilege Management (CWE-269)
Summary

An exploitable code execution vulnerability exists in the Web-Based Management (WBM) functionality of WAGO PFC 200 03.03.10(15). A specially crafted series of HTTP requests can cause code execution resulting in remote code execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.

References
cve.org | nvd.nist.gov

Mitigation

Use strong passwords for administrative accounts on the device
Follow the instructions in WAGOs handbook Cyber Security for Controller
Restrict network access to the device.
Do not directly connect the device to the internet

Remediation

In previous versions of the WAGO product manuals, a distinction between the WBM and the Linux system was made. This information was misleading and WAGO has corrected this in current versions of the manuals, which are expected to be update in June 2020.

Valid from FW version 03.04.10(16) / chapter 5.1.2.1.2

Revision History

Version Date Summary
1 10.06.2020 10:00 Initial revision.