WAGO: 750-8xx Controller Denial of Service

Monitor7.5VDE-2018-013Aug 17, 2018

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The WAGO 750-8xx controller series is vulnerable to a Denial-of-Service attack triggered by a flood of network packets (CWE-770). An attacker can overwhelm the device, rendering it unable to respond to legitimate traffic and communications. The vulnerability affects the internal Ethernet port and network interfaces across multiple models: PFC100, BACnet/IP, ETH, and KNX IP variants. CVSS 7.5 (high severity).

What this means

What could happen

An attacker can flood the 750-8xx controller with network packets, causing it to stop responding to legitimate traffic and disrupting industrial automation processes. This denial of service persists until the attack traffic ceases.

Who's at risk

Water authorities, electric utilities, and industrial manufacturers using WAGO 750-8xx programmable Ethernet controllers (models 750-880 PFC100, 750-831 BACnet/IP, 750-8xx ETH, and 750-889 KNX IP) for process control, data acquisition, or remote monitoring should implement these mitigations immediately.

How it could be exploited

An attacker on the network sends a flood of packets destined for the controller. The device lacks rate limiting by default and becomes overwhelmed, unable to process legitimate commands or communications from your control systems or remote monitoring applications.

Prerequisites

Network access to the controller (typically port 80 for Web Management, port 502 for Modbus, or port 47808 for Modbus TCP depending on configuration)
No authentication required—attack is a simple packet flood and does not require credentials

Remotely exploitableNo authentication requiredLow complexity attack (packet flooding)Affects industrial control and automation systemsCan disrupt critical infrastructure operations

Affected products (4)

4 with fix

ProductAffected VersionsFix Status

Hardware Controller PFC100≤ 02.05.23(08)Fix available

Hardware Controller BACnet/IP≤ 01.02.29(09)Fix available

Hardware Controller ETH≤ 01.07.03(10)Fix available

Hardware Controller KNX IP≤ 01.07.13(10)Fix available

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDEnable rate limiting on the internal Ethernet port via Web-based Management: navigate to Ethernet > 'Misc. Configuration' > 'internal Port' > 'Output Limit Rate' and configure a rate limit appropriate for your application

HARDENINGRestrict network access to the controller using a firewall: allow only traffic from trusted engineering workstations, SCADA servers, and monitoring systems; deny all other inbound connections

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate firmware to the latest available version: PFC100 to at least 02.05.24 or later, BACnet/IP to at least 01.02.30 or later, ETH to at least 01.07.04 or later, and KNX IP to at least 01.07.14 or later

Long-term hardening

0/1

HARDENINGPlace the 750-8xx controller in a closed or segmented network that is isolated from untrusted network segments

CVEs (1)

CVE-2018-25108

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/f371e520-5deb-4ebc-94e4-24274c7844ca