WAGO e!DISPLAY Web-Based-Management

Act NowCVSS 8ICS-CERT ICSA-18-198-02Jul 10, 2018

WAGO

Attack path

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionRequired

Summary

WAGO e!DISPLAY web-based management interfaces (models 762-3000, 762-3001, 762-3002, 762-3003 running firmware FW 01) contain cross-site scripting (XSS) vulnerabilities. These allow an authenticated attacker to execute arbitrary code in the user's browser context, place malicious files on the device filesystem, and potentially escalate privileges. Exploitation requires network access to the web interface and valid login credentials, but also requires tricking an authenticated user into visiting a malicious page.

What this means

What could happen

An attacker with login credentials could inject malicious code into the web interface, allowing them to execute commands on the device, modify files on the system, or escalate privileges to gain unauthorized control over the e!DISPLAY unit and its functions.

Who's at risk

Water utilities, municipal electric utilities, and other industrial operators using WAGO e!DISPLAY units (models 762-3000, 762-3001, 762-3002, 762-3003) for monitoring and control interface functions should prioritize this issue. e!DISPLAY units are often used in SCADA and process monitoring applications where unauthorized access could impact real-time operational visibility and control.

How it could be exploited

An attacker accesses the web-based management interface of an e!DISPLAY device using valid login credentials (or by exploiting weak default credentials), then injects malicious code through a cross-site scripting (XSS) vulnerability. The injected code executes in the context of the logged-in user's browser, allowing the attacker to run arbitrary commands, modify system files, or escalate privileges on the device.

Prerequisites

Network access to the device's web management interface (port 80/443)
Valid login credentials (or default credentials if unchanged)
User interaction required (the authenticated user must visit a malicious page or link)

Remotely exploitable over networkRequires valid credentials (moderate barrier)Cross-site scripting (XSS) - low complexity attackNo patch available for affected firmware versionsDefault credentials may be widely knownRequires user interaction (visiting malicious link)

Exploitability

Likely to be exploited — EPSS score 20.5%

Affected products (5)

5 with fix

ProductAffected VersionsFix Status

e!DISPLAY 762-3000: firmware FW 01FW 01FW 02

e!DISPLAY 762-3001: firmware FW 01FW 01FW 02

e!DISPLAY 762-3002: firmware FW 01FW 01FW 02

e!DISPLAY 762-3003: firmware FW 01FW 01FW 02

Hardware e!DISPLAY<FW02FW02

Remediation & Mitigation

0/6

Do now

0/3

WORKAROUNDRestrict network access to the e!DISPLAY management interface using firewall rules; allow only trusted engineering workstations

HARDENINGChange all default passwords on e!DISPLAY devices immediately

HARDENINGDo not expose the device directly to the Internet; use VPN for remote access if required

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate to firmware FW 02 or later

Long-term hardening

0/2

HARDENINGRestrict the number of users with access credentials to the device

HARDENINGSegment the e!DISPLAY and other control system devices onto a separate network isolated from business systems

CVEs (3)

CVE-2018-12980 CVE-2018-12979 CVE-2018-12981

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/1242483a-1933-4471-b2e9-216359b01763

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.