WAGO: Cloud Connectivity Remote Code Execution Vulnerability

Plan PatchCVSS 9.1VDE-2020-010Mar 9, 2020

WAGO

Attack path

Attack VectorNetwork

Auth RequiredHigh

ComplexityLow

User InteractionNone needed

Summary

WAGO PFC100, PFC200, and 762 series controllers with firmware version 12 and later contain a vulnerability in cloud connectivity that allows an authenticated administrator to redirect the device to a malicious Azure cloud account. An attacker with admin credentials can then deploy unauthorized firmware updates to execute arbitrary code on the controller. This affects the device's ability to perform its intended industrial control functions and could allow manipulation of setpoints, process parameters, or system operation.

What this means

What could happen

An attacker with admin credentials can redirect the device's cloud connectivity to a malicious Azure account and deploy unauthorized firmware, potentially compromising the PLC's control logic and allowing alteration of industrial processes.

Who's at risk

Water authorities and electric utilities operating WAGO PFC100, PFC200, and 762 series controllers used in process automation and control systems. Firmware versions 12 and later on all listed products are affected. Risk is highest in environments where admin accounts exist or where the controller is exposed to networks with untrusted users.

How it could be exploited

An attacker with valid admin credentials logs into the WAGO controller, reconfigures the cloud connectivity settings to point to an attacker-controlled Azure account, and uses the firmware update mechanism to deploy malicious code. The malicious firmware executes with PLC privileges, allowing command execution on the device.

Prerequisites

Valid administrative account credentials on the WAGO device
Network access to the controller's administrative interface (typically local network or VPN)
Access to configure cloud connectivity and firmware update settings

No patch available from vendorRequires administrative credentials (reduces exposure but still critical if compromised)Cloud connectivity feature enables remote attack vectorAffects PLCs and automation controllers in critical infrastructure

Exploitability

Some exploitation risk — EPSS score 4.9%

Affected products (5)

5 pending

ProductAffected VersionsFix Status

750-81xx/xxx-xxx (PFC100)≥ FW12No fix yet

750-82xx/xxx-xxx (PFC200)≥ FW12No fix yet

762-4xxx≥ FW12No fix yet

762-5xxx≥ FW12No fix yet

762-6xxx≥ FW12No fix yet

Remediation & Mitigation

0/7

Do now

0/5

HARDENINGRestrict network access to the device using firewall rules—allow only authorized administrative and operational network segments

HARDENINGDo not connect the device directly to the internet; place it behind a firewall or NAT

HARDENINGUse a VPN connection for all remote administrative access to the device

HARDENINGEnforce strong, unique passwords for all administrative accounts on the device and rotate them regularly

WORKAROUNDVerify the SHA hash of any firmware update package against the official WAGO release documentation before applying updates

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HARDENINGDisable all unused TCP and UDP ports on the device

HARDENINGReview and follow WAGO's Cyber Security for Controller handbook to harden the device configuration

CVEs (1)

CVE-2019-5161

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/01e3e471-55ed-4aac-8806-aec255715f3e

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.