WAGO: e!Cockpit cleartext communication and hardcoded key

Monitor7.5VDE-2020-004Mar 9, 2020

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Communication between WAGO e!Cockpit engineering software and WAGO PLCs (762-4xxx, 762-5xxx, 762-6xxx, 750-81xx/xxx-xxx, 750-82xx/xxx-xxx) is unencrypted. The authentication password is encrypted using a hardcoded cryptographic key, allowing an attacker who can sniff network traffic to decrypt the password and gain unauthorized access to reprogram the PLC. Affected devices running FW04 and later have no patch available.

What this means

What could happen

An attacker who can listen to network traffic between e!Cockpit engineering software and WAGO PLCs can decrypt the authentication password and gain access to reprogram the controller, potentially altering process logic, setpoints, or safety interlocks.

Who's at risk

Operators and IT staff at manufacturing and transportation facilities running WAGO 762 or 750-81xx/82xx PLCs with e!Cockpit engineering software. This affects sites where PLCs are networked and accessible to engineering workstations, particularly during commissioning and maintenance activities.

How it could be exploited

An attacker must be positioned on the network segment between an e!Cockpit workstation and the WAGO PLC (same subnet or routed path). They capture unencrypted TCP/UDP traffic on ports 11740/1740, extract the hardcoded-key-encrypted password from the communication, decrypt it offline, and use it to authenticate to the PLC via e!Cockpit or directly to reprogram the device.

Prerequisites

Network access to PLC on TCP port 11740 or UDP port 1740
Ability to sniff traffic between e!Cockpit workstation and PLC (same broadcast domain or network path)
Access to WAGO PLC with e!Cockpit communication enabled

remotely exploitableno authentication required on networklow complexityhardcoded credentialsno patch availableaffects safety-critical systems

Affected products (5)

5 pending

ProductAffected VersionsFix Status

762-4xxx≥ FW04No fix yet

762-5xxx≥ FW04No fix yet

762-6xxx≥ FW04No fix yet

750-81xx/xxx-xxx≥ FW04No fix yet

750-82xx/xxx-xxx≥ FW04No fix yet

Remediation & Mitigation

0/5

Do now

0/2

HARDENINGDisable TCP port 11740 and UDP port 1740 on the WAGO PLC after commissioning is complete

HARDENINGRestrict network access to WAGO PLCs using firewall rules to allow e!Cockpit traffic only from authorized engineering workstations

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HARDENINGUse an encrypted VPN connection to the device when remote e!Cockpit access is required

HARDENINGDisable all unused TCP and UDP ports on WAGO PLCs

Long-term hardening

0/1

HARDENINGDo not connect WAGO PLCs directly to the internet

CVEs (2)

CVE-2019-5107 CVE-2019-5106

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/815350f3-e778-42ea-8957-cd190ac6f11a