WAGO Series 750-88x and 750-352 (Update A)

Plan Patch7.5ICS-CERT ICSA-20-308-01Nov 3, 2020

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

WAGO 750-series industrial controllers (750-352, 750-880, 750-881, 750-882, 750-885, 750-889, 750-829, 750-831, 750-852) contain a denial-of-service vulnerability (CWE-400: Uncontrolled Resource Consumption) that allows an attacker on the network to crash the device with a specially crafted message. Affected firmware versions are earlier than FW11. WAGO recommends updating to firmware version FW14 or later. No public exploits currently target this vulnerability.

What this means

What could happen

An attacker on the network can crash these WAGO industrial controllers with a denial-of-service attack, causing them to stop responding to process control requests and potentially shutting down automated operations dependent on these devices.

Who's at risk

Water utilities and electric utilities using WAGO 750-series programmable logic controllers (PLCs) for process automation, particularly the 750-352, 750-880/885/881/882/889, 750-831, 750-852, and 750-829 models. Any organization operating critical infrastructure that depends on these controllers for continuous operation should assess their inventory and prioritize patching or network isolation.

How it could be exploited

An attacker with network access to the WAGO device sends a specially crafted network message that triggers a resource exhaustion condition (CWE-400), causing the controller to crash. No authentication is required; the attacker only needs to reach the device on the network.

Prerequisites

Network access to the WAGO device (reachable from attacker's network segment)
No authentication credentials required
Device running firmware version earlier than FW11

Remotely exploitable over networkNo authentication requiredLow attack complexityAffects industrial control devicesNo patch available from WAGO

Exploitability

Low exploit probability (EPSS 0.4%)

Affected products (10)

9 with fix1 pending

ProductAffected VersionsFix Status

750-331/xxx-xxx:< FW11No fix yet

750-352:< FW11FW14

750-880/xxx-xxx:< FW11FW14

750-881:< FW11FW14

750-885:< FW11FW14

750-889:< FW11FW14

750-829:< FW11FW14

750-831/xxx-xxx:< FW11FW14

Remediation & Mitigation

0/5

Do now

0/3

WORKAROUNDRestrict network access to the WAGO device: use firewall rules to limit which systems and network segments can reach these controllers

WORKAROUNDDisable any unused TCP and UDP ports on the WAGO device

WORKAROUNDDo not directly connect these controllers to the Internet; keep them on your internal plant network only

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate to WAGO firmware version FW14 or later on all affected 750-series controllers

Long-term hardening

0/1

HARDENINGImplement network segmentation: place the WAGO controllers behind a firewall and isolate them from the business network

CVEs (1)

CVE-2020-12516

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/bd4e137e-88a2-413f-abf6-e4eaf5177af1