WAGO I/O-CHECK

Act Now10ICS-CERT ICSA-20-065-01Mar 5, 2020

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

WAGO I/O-CHECK service on PFC100 and PFC200 series controllers contains multiple vulnerabilities (CWE-201, CWE-805, CWE-306, CWE-120) that allow unauthenticated remote code execution. Successful exploitation enables an attacker to modify device settings, delete applications, execute arbitrary code, crash the system, trigger denial-of-service conditions, reset to factory defaults, or overwrite MAC addresses. The I/O-CHECK service listens on TCP port 6626 and is enabled by default, but is only required during installation and commissioning.

What this means

What could happen

An attacker could remotely execute code on WAGO PLC controllers, allowing them to alter process setpoints, delete applications, crash the system, or reset the device to factory settings, disrupting water treatment or power distribution operations. No authentication is required.

Who's at risk

Water utilities, electric utilities, and other critical infrastructure operators using WAGO PFC100 or PFC200 series controllers (including models 750-81xx, 750-82xx, 750-823, 750-831, 750-832, 750-852, 750-862, 750-880, 750-881, 750-889, 750-890, and 750-891) for I/O control and process automation should assess this risk immediately.

How it could be exploited

An attacker on the network sends a specially crafted command to the I/O-CHECK service listening on TCP port 6626 of a WAGO PFC controller. The service processes the request without proper validation or authentication and executes the attacker's code with system privileges.

Prerequisites

Network access to TCP port 6626 on the WAGO controller
The I/O-CHECK service must be running (enabled by default)
No valid credentials required

Remotely exploitableNo authentication requiredLow complexity attackNo patch available for most modelsHigh CVSS score (10.0)Affects industrial control systems

Exploitability

Moderate exploit probability (EPSS 2.3%)

Affected products (4)

4 pending

ProductAffected VersionsFix Status

Series PFC200: (750-82xx/xxx-xxx)750-82xx/xxx-xxxNo fix yet

I/O-CHECK Series PFC100 and Series PFC200: 750-823 750-832/xxx-xxx 750-862 750-890/xxx-xxx 750-891750-823 | 750-832/xxx-xxx | 750-862 | 750-890/xxx-xxx | 750-891No fix yet

Series PFC100: (750-81xx/xxx-xxx)750-81xx/xxx-xxxNo fix yet

I/O-CHECK Series PFC100 and Series PFC200: 750-852 750-831/xxx-xxx 750-881 750-880/xxx-xxx 750-889750-852 | 750-831/xxx-xxx | 750-881 | 750-880/xxx-xxx | 750-889No fix yet

Remediation & Mitigation

0/5

Do now

0/3

WORKAROUNDDisable TCP port 6626 immediately after device commissioning is complete

WORKAROUNDDisable all unused TCP and UDP ports on the WAGO controller

HARDENINGRestrict network access to WAGO controllers using firewall rules; only allow connections from authorized engineering workstations and management systems

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate to WAGO firmware version 15 or above if available for your controller model

Long-term hardening

0/1

HARDENINGIsolate WAGO controllers on a dedicated OT network segment; do not connect directly to the Internet or business network

CVEs (9)

CVE-2019-5073 CVE-2019-5074 CVE-2019-5075 CVE-2019-5077 CVE-2019-5078 CVE-2019-5079 CVE-2019-5080 CVE-2019-5081 CVE-2019-5082

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/00e48f98-7e96-4135-98d3-9cf775cbd158