WAGO I/O-CHECK

Plan PatchCVSS 10ICS-CERT ICSA-20-065-01Mar 5, 2020

WAGO

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

WAGO I/O-CHECK service on PFC100 and PFC200 series controllers contains multiple vulnerabilities (CWE-201, CWE-805, CWE-306, CWE-120) that allow unauthenticated remote code execution. Successful exploitation enables an attacker to modify device settings, delete applications, execute arbitrary code, crash the system, trigger denial-of-service conditions, reset to factory defaults, or overwrite MAC addresses. The I/O-CHECK service listens on TCP port 6626 and is enabled by default, but is only required during installation and commissioning.

What this means

What could happen

An attacker could remotely execute code on WAGO PLC controllers, allowing them to alter process setpoints, delete applications, crash the system, or reset the device to factory settings, disrupting water treatment or power distribution operations. No authentication is required.

Who's at risk

Water utilities, electric utilities, and other critical infrastructure operators using WAGO PFC100 or PFC200 series controllers (including models 750-81xx, 750-82xx, 750-823, 750-831, 750-832, 750-852, 750-862, 750-880, 750-881, 750-889, 750-890, and 750-891) for I/O control and process automation should assess this risk immediately.

How it could be exploited

An attacker on the network sends a specially crafted command to the I/O-CHECK service listening on TCP port 6626 of a WAGO PFC controller. The service processes the request without proper validation or authentication and executes the attacker's code with system privileges.

Prerequisites

Network access to TCP port 6626 on the WAGO controller
The I/O-CHECK service must be running (enabled by default)
No valid credentials required

Remotely exploitableNo authentication requiredLow complexity attackNo patch available for most modelsHigh CVSS score (10.0)Affects industrial control systems

Exploitability

Some exploitation risk — EPSS score 2.7%

Affected products (42)

4 pending38 EOL

ProductAffected VersionsFix Status

CC100 0751-9x01All versionsNo fix (EOL)

PFC100 G1 0750-810x/xxxx-xxxxAll versionsNo fix (EOL)

PFC100 G2 0750-811x-xxxx-xxxxAll versionsNo fix (EOL)

PFC200 G1 750-820x-xxx-xxxAll versionsNo fix (EOL)

PFC200 G2 750-821x-xxx-xxxAll versionsNo fix (EOL)

Remediation & Mitigation

0/5

Do now

0/3

WORKAROUNDDisable TCP port 6626 immediately after device commissioning is complete

WORKAROUNDDisable all unused TCP and UDP ports on the WAGO controller

HARDENINGRestrict network access to WAGO controllers using firewall rules; only allow connections from authorized engineering workstations and management systems

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate to WAGO firmware version 15 or above if available for your controller model

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: CC100 0751-9x01, PFC100 G1 0750-810x/xxxx-xxxx, PFC100 G2 0750-811x-xxxx-xxxx, PFC200 G1 750-820x-xxx-xxx, PFC200 G2 750-821x-xxx-xxx, Basic Controller 100 0750-800x, TP600 0762-420x/8000-000x, TP600 0762-430x/8000-000x, TP600 0762-520x/8000-000x, TP600 0762-530x/8000-000x, TP600 0762-620x/8000-000x, TP600 0762-630x/8000-000x, Edge Controller 0752-8303/8000-0002, Fieldbus Coupler 0750-0331 (discontinued)), Fieldbus Coupler 0750-0331, Fieldbus Coupler 0750-0340 (discontinued), Fieldbus Coupler 0750-0341 (discontinued), Fieldbus Coupler 0750-0342, Fieldbus Coupler 0750-0352 (discontinued), Fieldbus Coupler 0750-0362, Fieldbus Coupler 0750-0363, Fieldbus Coupler 0750-0370 (discontinued), Fieldbus Coupler 0750-0375, Fieldbus Coupler 0750-0377, Controller 0750-0823, Controller 0750-0829, Controller 0750-0831 (discontinued), Controller 0750-0842, Controller 0750-0843, Controller 0750-0852 (discontinued), Controller 0750-0860 (discontinued), Controller 0750-0862, Controller 0750-0863 (discontinued), Controller 0750-0870 (discontinued), Controller 0750-0871 (discontinued), Controller 0750-0872 (discontinued), Controller 0750-0880 (discontinued), Controller 0750-0881 (discontinued). Apply the following compensating controls:

HARDENINGIsolate WAGO controllers on a dedicated OT network segment; do not connect directly to the Internet or business network

CVEs (9)

CVE-2019-5073 CVE-2019-5074 CVE-2019-5075 CVE-2019-5077 CVE-2019-5078 CVE-2019-5079 CVE-2019-5080 CVE-2019-5081 CVE-2019-5082

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/00e48f98-7e96-4135-98d3-9cf775cbd158

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.