The Web-Based Management (WBM) of WAGOs programmable logic controller (PLC) is typically used for administration, commissioning and updates.
Older firmware versions of the PLC family 750-88x and 750-352 are vulnerable for a special denial of service attack.

All newer Firmware releases since FW11, released in December 2017, are not affected.

UPDATE A

Additional, affected devices:

  • 750-331/xxx-xxx
  • 750-829
  • 750-882
  • 750-885



The Web-Based Management (WBM) of WAGOs programmable logic controller (PLC) is typically used for administration, commissioning and updates.
The SNMP configuration page of the device is vulnerable for a persistent XSS (Cross-Site Scripting) attack.



The Web-Based Management (WBM) of WAGOs programmable logic controller (PLC) is typically used for administration, commissioning and updates.
With special crafted requests it is possible to change some special parameters without authentication.



The Web-Based Management (WBM) of WAGOs programmable logic controller (PLC) is typically used for administration, commissioning and updates.
With special crafted requests it is possible to change some special parameters without authentication.



Multiple vulnerabilties were reported in WIBU-SYSTEMS Codemeter. WIBU-SYSTEMS Codemeter is installed by default during e!COCKPIT installation. All currently existing e!COCKPIT installation bundles contain vulnerable versions of WIBU-SYSTEMS Codemeter.



The Web-Based Management (WBM) of WAGOs programmable logic controller (PLC) is typically used for administration, commissioning and updates. 

An attacker needs an authorized login with administrative privileges on the device in order to exploit the herein mentioned vulnerability.

 An authenticated attacker who has access to the Web Based Management (WBM) could use the software upload functionality to install software package with root privileges. This fact could be potentially used to manipulate the device or to get control of the device.



WAGO PLCs uses Linux as operating system and offers the ambitious user the opportunity to make their own modifications to expand the functionality of the PLC. For this reason the pppd daemon is also part of the operating system but it is not activated in the default configuration of the WAGO firmware.

The reported vulnerability is only exploitable if the customer has activated the pppd daemon in his individual configuration manually. If the pppd daemon is used by the application from the customer, an unauthenticated remote attacker could cause a memory corruption in the pppd process, which may allow for arbitrary code execution, by sending an unsolicited EAP packet.



An attacker needs an authorized login on the device in order to exploit the herein mentioned vulnerabilities.

The reported vulnerabilities allow a local attacker with valid login credentials who is able to create files on the device to change the devices settings, e.g. default gateway address, time server etc. and potentially execute code.



Feeds

By Vendor

Archive

2024
2023
2022
2021
2020
2019
2018
2017

Legend

(Scoring for CVSS 2.0,3.0+3.1)
None
No CVE available
Low
0.1 <= 3.9
Medium
4.0 <= 6.9
High
7.0 <= 8.9
Critical
9.0 <= 10.0