WAGO: Series PFC100/PFC200 Information Disclosure

Monitor5.3VDE-2019-017Sep 18, 2019

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A vulnerability in WAGO PFC100 (model 750-81xx/xxx-xxx) and PFC200 (model 750-82xx/xxx-xxx) controllers allows a remote attacker to enumerate filesystem paths and filenames through the device's web server. This information disclosure could expose configuration details or system information useful for planning further attacks. The vulnerability affects firmware versions prior to FW12.

What this means

What could happen

An attacker with network access to the device can enumerate filesystem paths and filenames, potentially exposing sensitive configuration data or system information that could be used to plan further attacks.

Who's at risk

Water utilities and municipal electric utilities operating WAGO PFC100 or PFC200 programmable controllers for process automation and data acquisition. These controllers commonly manage remote terminal units (RTUs) for SCADA-based monitoring and control of pumping stations, substations, and treatment processes.

How it could be exploited

An attacker sends HTTP requests to the PFC100 or PFC200 web server without authentication. By probing various file paths, the attacker can determine which files and directories exist on the device, gathering information about the system configuration and installed components.

Prerequisites

Network access to the device's web server (typically port 80 or 443)
No authentication required

remotely exploitableno authentication requiredlow complexityinformation disclosure

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

PFC100 750-81xx/xxx-xxx<FW12FW12

PFC200 750-82xx/xxx-xxx<FW12FW12

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDRestrict network access to the device's web server using firewall rules; allow only from authorized engineering workstations or administrative networks

HARDENINGDo not connect the device directly to the internet; place it on a protected industrial network behind a firewall

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate PFC100 (750-81xx/xxx-xxx) firmware to FW12 or later

HOTFIXUpdate PFC200 (750-82xx/xxx-xxx) firmware to FW12 or later

CVEs (1)

CVE-2019-18202

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/ce1380c6-708c-40b2-8905-24773e738bfb