WAGO PFC200 Series

Act Now9.8ICS-CERT ICSA-18-044-01Feb 13, 2018

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

WAGO PFC200 series controllers and CODESYS 2.3.X and 2.4.X contain an authentication bypass vulnerability (CWE-287) that allows remote code execution. An attacker can send a crafted network request to execute arbitrary code on the controller without valid credentials. The vulnerability affects multiple PFC200 variants including models 750-8202, 750-8203, 750-8204, 750-8206, 750-8207, and 750-8208 running firmware versions prior to 02.07.07(10). Public exploits are available.

What this means

What could happen

An attacker could remotely execute arbitrary code on the PFC200 controller with no credentials required, potentially taking full control of critical process logic, pump speeds, valve positions, or other automated functions that depend on the device.

Who's at risk

Water utilities and municipal electric systems using WAGO PFC200 series controllers (models 750-8202, 750-8203, 750-8204, 750-8206, 750-8207, 750-8208) for automation and process control. Also affects systems running CODESYS 2.3.X and 2.4.X. Any organization relying on these PLCs for pump control, pressure regulation, or power distribution is at risk.

How it could be exploited

An attacker sends a specially crafted network request to the PFC200 device over the network. The device lacks proper input validation and authentication checks, allowing the attacker to execute arbitrary code directly. No physical access or valid credentials are needed.

Prerequisites

Network access to the PFC200 on its listening port
Device must be firmware version prior to 02.07.07(10)
No credentials or authentication required

remotely exploitableno authentication requiredlow complexitypublic exploits availableno patch available for older firmware versionsaffects critical infrastructure controllershigh CVSS (9.8)

Exploitability

Low exploit probability (EPSS 0.9%)

Affected products (19)

17 with fix2 pending

ProductAffected VersionsFix Status

750-8206: Firmware prior to 02.07.07(10)< 02.07.07(10)02.07.07(10)

750-8208/025-000: Firmware prior to 02.07.07(10)< 02.07.07(10)02.07.07(10)

750-8202/025-001: Firmware prior to 02.07.07(10)< 02.07.07(10)02.07.07(10)

750-8202/025-000: Firmware prior to 02.07.07(10)< 02.07.07(10)02.07.07(10)

750-8207/025-000: Firmware prior to 02.07.07(10)< 02.07.07(10)02.07.07(10)

Remediation & Mitigation

0/4

Do now

0/2

HOTFIXUpdate WAGO PFC200 firmware to version 02.07.07(10) or later (FW11 or newer)

WORKAROUNDRestrict network access to PFC200 devices using firewall rules; only allow connections from authorized engineering workstations and SCADA servers

Long-term hardening

0/2

HARDENINGSegment PFC200 devices onto a dedicated industrial control network isolated from corporate IT and the internet

HARDENINGDisable remote access protocols on PFC200 devices if not required for operations

CVEs (1)

CVE-2018-5459

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/940b9745-a01e-4567-9d62-34ba9c2b5265