WAGO Series 750-88x and 750-87x
Act Now9.8ICS-CERT ICSA-19-106-02Apr 16, 2019
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
A remote attacker can change settings or alter the programming of WAGO Series 750-88x and 750-87x compact controllers without authentication. The vulnerability exists in the web server interface that handles firmware uploads and device configuration. An unauthenticated attacker on the network can modify the device's program logic, change operational parameters, or upload malicious firmware. This affects 16 controller models. WAGO has not released firmware patches for these products and recommends implementing network controls as a compensating measure.
What this means
What could happen
An attacker can remotely modify the firmware, program logic, or device settings on WAGO industrial controllers without authentication, potentially allowing them to alter process control logic, change safety parameters, or stop critical water treatment or power distribution operations.
Who's at risk
Water and electric utilities operating WAGO 750-series compact controllers (750-880, 750-881, 750-882, 750-884, 750-885, 750-889, 750-829, 750-830, 750-831, 750-849, 750-852, 750-871, 750-872, 750-873, 750-330, 750-352). These are commonly used in PLC-based process automation, pump control, motor drives, and safety system logic. Any organization using these controllers for critical process control should assess their risk immediately.
How it could be exploited
An attacker on the network can connect to the web server interface on the affected WAGO controller (port reachable from their network location). The device allows firmware uploads and configuration changes without requiring authentication. The attacker sends a crafted request to upload malicious firmware or alter device programming, gaining full control over the controller's logic.
Prerequisites
- Network access to the WAGO device web interface (typically HTTP port 80 or HTTPS port 443)
- No credentials required - the vulnerability affects the web server's authentication logic itself
remotely exploitableno authentication requiredlow complexitydefault or no authentication on web interfaceaffects programmable logic controllers used in critical infrastructureno patch available - end-of-life products
Exploitability
Moderate exploit probability (EPSS 1.5%)
Affected products (16)
16 EOL
ProductAffected VersionsFix Status
750-352: firmware< FW14No fix (EOL)
750-880: firmware< FW14No fix (EOL)
750-871: firmware< FW11No fix (EOL)
750-872: firmware< FW07No fix (EOL)
750-884: firmware< FW14No fix (EOL)
Remediation & Mitigation
0/5
Do now
0/3WORKAROUNDRestrict network access to the web server port on all affected WAGO devices using firewall rules - allow only authorized engineering workstations
HARDENINGRestrict overall network access to the device - segment it onto isolated control network, not accessible from corporate network or Internet
HARDENINGDo not connect affected WAGO devices directly to the Internet
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXUpdate to the latest available firmware version for your specific model (FW14 for most models, FW11 for 750-871, FW07 for 750-872/750-873, FW06 for 750-830, FW08 for 750-849) once WAGO provides patches
Mitigations - no patch available
0/1The following products have reached End of Life with no planned fix: 750-352: firmware, 750-880: firmware, 750-871: firmware, 750-872: firmware, 750-884: firmware, 750-882: firmware, 750-829: firmware, 750-881: firmware, 750-830: firmware, 750-849: firmware, 750-852: firmware, 750-885: firmware, 750-873: firmware, 750-889: firmware, 750-330: firmware, 750-831: firmware. Apply the following compensating controls:
HARDENINGImplement network segmentation: place control system networks behind firewalls and isolate from business network
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/c16809c7-62f7-4a0b-bf92-67620807b8f8