WAGO: Web Based Management - Code Execution Vulnerability

Act Now9.1VDE-2020-015Jun 10, 2020

Attack VectorNetwork

Auth RequiredHigh

ComplexityLow

User InteractionNone needed

Summary

The Web-Based Management (WBM) interface in WAGO PLC controllers contains a code execution vulnerability in the software upload functionality. An authenticated attacker with administrative privileges can upload and execute malicious software packages with root-level access, enabling complete compromise of the device. The vulnerability affects PFC100, PFC200, and 762-series controllers running firmware versions prior to 03.04.10(FW16).

What this means

What could happen

An authenticated attacker with administrative credentials can upload malicious software packages to the PLC with root privileges, enabling complete device compromise and manipulation of industrial processes.

Who's at risk

Manufacturing organizations operating WAGO PLC controllers (PFC100, PFC200, and 762 series modules) used for process control, automation, and industrial operations should prioritize this vulnerability. The affected devices are commonly deployed in production environments where unauthorized code execution could halt operations or alter critical control setpoints.

How it could be exploited

An attacker with valid administrative credentials accesses the Web-Based Management (WBM) interface via the network, then uses the software upload functionality to install a malicious package with root-level access. Once installed, the attacker can execute arbitrary code with full control over the PLC's operations.

Prerequisites

Valid administrative credentials for the Web-Based Management interface
Network access to the WBM interface (typically port 80/443)
Device is running firmware version prior to 03.04.10(FW16)

Remotely exploitable over networkRequires administrative credentials (elevated privilege requirement reduces but does not eliminate risk)Low attack complexityAffects industrial control systems with potential impact on physical operationsSoftware upload bypasses normal process safety controls

Affected products (5)

5 with fix

ProductAffected VersionsFix Status

PFC100<03.04.10(FW16)03.04.10(FW16)

PFC200<03.04.10(FW16)03.04.10(FW16)

762-4xxx<03.04.10(FW16)03.04.10(FW16)

762-5xxx<03.04.10(FW16)03.04.10(FW16)

762-6xxx<03.04.10(FW16)03.04.10(FW16)

Remediation & Mitigation

0/5

Do now

0/3

WORKAROUNDRestrict network access to the Web-Based Management interface using firewall rules or network segmentation—allow only from authorized engineering workstations and administrative networks

HARDENINGEnforce strong passwords for all administrative accounts on the device

HARDENINGDo not expose the PLC directly to the internet; keep it on an isolated industrial network

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate all affected PLC firmware to version 03.04.10(FW16) or later

Long-term hardening

0/1

HARDENINGReview and follow WAGO's Cyber Security for Controller handbook guidance for secure configuration

CVEs (1)

CVE-2020-6090

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/ed3a27de-69b2-4d50-abbc-d5a172d1fa2d