WAGO PFC200 Series

Low Risk2.7ICS-CERT ICSA-23-325-01Nov 21, 2023

Attack VectorNetwork

Auth RequiredHigh

ComplexityLow

User InteractionNone needed

Summary

WAGO PFC200 series controllers and Touch Panel devices (firmware versions FW16 through FW26) contain an undocumented file access method that allows an attacker with administrative privileges to read sensitive files outside of intended boundaries, potentially exposing configuration data and system information. CWE-610 (Insufficient Abstraction). The vulnerability affects PFC200, PFC100, Compact Controller CC100, Edge Controller, and multiple Touch Panel 600 variants across the specified firmware range.

What this means

What could happen

An attacker with administrative access to a WAGO controller or panel could read sensitive configuration files or other restricted data that should not be accessible, potentially exposing system settings or credentials.

Who's at risk

Water utilities, power systems, and industrial facilities using WAGO PFC200, PFC100, Compact Controller CC100, Edge Controller, or Touch Panel 600 series devices for process automation and monitoring. This affects any organization relying on these controllers for machine-to-machine logic, data logging, or supervisory functions.

How it could be exploited

An attacker must first obtain administrative privileges on the device (through credential compromise, physical access, or other means), then exploit an undocumented access method to read files outside intended boundaries. This requires being authenticated to the device first.

Prerequisites

Administrative credentials for the WAGO device
Network or local access to the device management interface or API
Knowledge of the undocumented file access method

No authentication required after initial admin accessLow complexity attackNo patch available for affected firmware versionsAffects data confidentiality

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (7)

7 with fix

ProductAffected VersionsFix Status

Touch Panel 600 Standard Line: >FW16_up_to_and_including_FW26>FW16 up to and including FW26FW27 or later

Compact Controller CC100: >FW19_up_to_and_including_FW26>FW19 up to and including FW26FW27 or later

Edge Controller: >FW18_up_to_and_including_FW26>FW18 up to and including FW26FW27 or later

PFC100: >FW16_up_to_and_including_FW26>FW16 up to and including FW26FW27 or later

PFC200: >FW16_up_to_and_including_FW26>FW16 up to and including FW26FW27 or later

Touch Panel 600 Marine Line: >FW16_up_to_and_including_FW26>FW16 up to and including FW26FW27 or later

Touch Panel 600 Advanced Line: >FW16_up_to_and_including_FW26>FW16 up to and including FW26FW27 or later

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDRestrict network access to WAGO device management interfaces using firewall rules—limit administrative access to engineering workstations and approved subnets only

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate firmware to FW27 or later on all affected WAGO controllers and panels

HARDENINGReview and rotate administrative credentials for all WAGO devices to limit impact of potential account compromise

Long-term hardening

0/1

HARDENINGImplement network segmentation to prevent untrusted networks from reaching WAGO devices directly

CVEs (1)

CVE-2023-4089

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/0fd4d482-2a69-4db1-8950-5153b3796642