WAGO: Cloud Connectivity Remote Code Execution Vulnerability
Act Now9.1VDE-2020-010Mar 9, 2020
Attack VectorNetwork
Auth RequiredHigh
ComplexityLow
User InteractionNone needed
Summary
WAGO PFC100, PFC200, and 762 series controllers with firmware version 12 and later contain a vulnerability in cloud connectivity that allows an authenticated administrator to redirect the device to a malicious Azure cloud account. An attacker with admin credentials can then deploy unauthorized firmware updates to execute arbitrary code on the controller. This affects the device's ability to perform its intended industrial control functions and could allow manipulation of setpoints, process parameters, or system operation.
What this means
What could happen
An attacker with admin credentials can redirect the device's cloud connectivity to a malicious Azure account and deploy unauthorized firmware, potentially compromising the PLC's control logic and allowing alteration of industrial processes.
Who's at risk
Water authorities and electric utilities operating WAGO PFC100, PFC200, and 762 series controllers used in process automation and control systems. Firmware versions 12 and later on all listed products are affected. Risk is highest in environments where admin accounts exist or where the controller is exposed to networks with untrusted users.
How it could be exploited
An attacker with valid admin credentials logs into the WAGO controller, reconfigures the cloud connectivity settings to point to an attacker-controlled Azure account, and uses the firmware update mechanism to deploy malicious code. The malicious firmware executes with PLC privileges, allowing command execution on the device.
Prerequisites
- Valid administrative account credentials on the WAGO device
- Network access to the controller's administrative interface (typically local network or VPN)
- Access to configure cloud connectivity and firmware update settings
No patch available from vendorRequires administrative credentials (reduces exposure but still critical if compromised)Cloud connectivity feature enables remote attack vectorAffects PLCs and automation controllers in critical infrastructure
Affected products (5)
5 pending
ProductAffected VersionsFix Status
750-81xx/xxx-xxx (PFC100)≥ FW12No fix yet
750-82xx/xxx-xxx (PFC200)≥ FW12No fix yet
762-4xxx≥ FW12No fix yet
762-5xxx≥ FW12No fix yet
762-6xxx≥ FW12No fix yet
Remediation & Mitigation
0/7
Do now
0/5HARDENINGRestrict network access to the device using firewall rules—allow only authorized administrative and operational network segments
HARDENINGDo not connect the device directly to the internet; place it behind a firewall or NAT
HARDENINGUse a VPN connection for all remote administrative access to the device
HARDENINGEnforce strong, unique passwords for all administrative accounts on the device and rotate them regularly
WORKAROUNDVerify the SHA hash of any firmware update package against the official WAGO release documentation before applying updates
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
HARDENINGDisable all unused TCP and UDP ports on the device
HARDENINGReview and follow WAGO's Cyber Security for Controller handbook to harden the device configuration
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/01e3e471-55ed-4aac-8806-aec255715f3e