WAGO: Multiple Vulnerabilities in I/O-Check Service in Multiple Devices

Act Now9.8VDE-2019-022Dec 16, 2019

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple input validation vulnerabilities exist in the I/O-Check service running on WAGO PFC100 and PFC200 controllers and related models. The service listens on TCP/UDP port 6626 and is enabled by default. A remote attacker can send specially crafted packets to cause buffer overflows (CWE-787), information disclosure (CWE-200), or bypass authorization checks (CWE-306). Exploitation results in remote code execution, unauthorized configuration changes, application deletion, factory reset, or denial of service. The I/O-Check service is only needed during installation and commissioning, not for normal operation. Most affected products can be patched to firmware FW15 or later; the 750-891 has no vendor fix available.

What this means

What could happen

An attacker on the network can send specially crafted requests to the I/O-Check service to execute arbitrary code, modify device settings, delete applications, reset the device to factory defaults, or crash operations on WAGO process controllers. This could disrupt critical automation processes and allow unauthorized control of your facility's programmable logic.

Who's at risk

Water and electric utilities rely on WAGO PFC100 and PFC200 series controllers for process automation, remote terminal units (RTUs), and fieldbus gateways. This vulnerability affects multiple WAGO industrial controllers used in pump stations, substations, water treatment plants, and distributed automation nodes. Any facility using these controllers for critical process control is at risk.

How it could be exploited

An attacker with network access to the device sends malformed or malicious packets to the I/O-Check service on TCP/UDP port 6626. The service fails to properly validate input, allowing the attacker to inject commands that execute on the device without authentication. No user interaction is required.

Prerequisites

Network access to the device on port 6626 (I/O-Check service port)
I/O-Check service enabled (enabled by default)

remotely exploitableno authentication requiredlow complexityaffects process control systemsno patch available for 750-891 model

Affected products (11)

10 with fix1 EOL

ProductAffected VersionsFix Status

750-81xx/xxx-xxx (PFC100)<FW15FW15

750-823<FW15FW15

750-82xx/xxx-xxx (PFC200)<FW15FW15

750-831/xxx-xxx<FW15FW15

750-832/xxx-xxx<FW15FW15

750-852<FW15FW15

750-880/xxx-xxx<FW15FW15

750-881<FW15FW15

Remediation & Mitigation

0/5

Do now

0/4

750-891

WORKAROUNDFor 750-891 devices (no firmware patch available), maintain strict network isolation and disable port 6626 permanently

All products

WORKAROUNDDisable port 6626 (I/O-Check service) on all WAGO controllers after commissioning is complete

HARDENINGRestrict network access to port 6626 using firewall rules—allow only from commissioning workstations during maintenance windows

HARDENINGDo not connect WAGO PFC controllers directly to the internet or untrusted networks

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

750-81xx/xxx-xxx (PFC100)

HOTFIXUpdate affected devices (PFC100, PFC200, 750-823, 750-831, 750-832, 750-852, 750-880, 750-881, 750-889, 750-890 series) to firmware version FW15 or later

CVEs (7)

CVE-2019-5082 CVE-2019-5081 CVE-2019-5079 CVE-2019-5075 CVE-2019-5074 CVE-2019-5073 CVE-2019-5078

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/f4656c1d-f72d-40dc-8a18-75e377046a26