The WAGO Visualization And Control Hub versions before 5.0.1 contain multiple vulnerabilities in the embedded Magick.NET-Q16-AnyCPU component (derived from ImageMagick). These vulnerabilities are triggered when the system processes user-uploaded images to generate thumbnails for the projects image library. Authenticated users with Design Project Permission can exploit these flaws. The vulnerabilities include buffer overflows, integer overflows, path traversal, arbitrary code execution, denial of service, and memory safety issues in the image processing pipeline.
What this means
What could happen
An authenticated user with design permissions on the VC Hub could upload a malicious image that exploits ImageMagick vulnerabilities to execute arbitrary code on the VC Hub system, potentially allowing them to alter control configurations, stop visualization services, or pivot into connected industrial networks.
Who's at risk
WAGO VC Hub operators and visualization engineers who manage image libraries and control project configurations. This impacts any facility using VC Hub for SCADA visualization, process monitoring, or control panel displays where authenticated users have design access.
How it could be exploited
An attacker with valid design project permissions uploads a specially crafted image file to the VC Hub's image library. The VC Hub processes this image using the vulnerable Magick.NET-Q16-AnyCPU component (derived from ImageMagick) to generate a thumbnail. The image parsing flaws allow arbitrary code execution on the VC Hub system with the privileges of the application.
Prerequisites
Valid VC Hub user account with Design Project Permission
Network access to VC Hub's image upload functionality
remotely exploitable via image uploadmultiple underlying image processing flaws (CWE-125, CWE-119, CWE-94, CWE-22 and others)affects control system visualization layerauthenticated access required but design permissions are often broadly assigned
Exploitability
Unlikely to be exploited — EPSS score 0.1%
Affected products (2)
2 with fix
ProductAffected VersionsFix Status
Visualization And Control Hub < 5.0.1< 5.0.15.0.1
Visualization And Control Hub 5.0.05.0.05.0.1
Remediation & Mitigation
0/1
Schedule — requires maintenance window
0/1
Patching may require device reboot — plan for process interruption
HOTFIXUpdate WAGO Visualization And Control Hub to version 5.0.1 or later