WAGO: XSS vulnerability in Web-UI in WAGO 750-88X and WAGO 750-89X
Monitor6.1VDE-2020-029Sep 30, 2020
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary
The Web-Based Management (WBM) interface on WAGO 750-88X and 750-89X series PLCs contains a persistent cross-site scripting (XSS) vulnerability in the SNMP configuration page. An attacker can inject malicious JavaScript that executes when authorized users access the SNMP settings, potentially enabling credential theft, unauthorized device configuration changes, or execution of control commands. The vulnerability affects models 750-352, 750-362, 750-363, 750-823, 750-831, 750-832, 750-852, 750-862, 750-880, 750-881, 750-889, 750-890, and 750-891.
What this means
What could happen
An attacker could inject malicious code into the SNMP configuration page that executes when an authorized user accesses the web interface, potentially allowing the attacker to steal credentials, modify device settings, or trigger unauthorized control actions on the PLC.
Who's at risk
Manufacturing facilities and utilities operating WAGO 750-88X and 750-89X series PLCs should be concerned. These compact PLCs are commonly used in process control, automation, and building management applications. Any facility that relies on these controllers for production processes or critical operations should prioritize firmware updates.
How it could be exploited
An attacker with network access to the device's Web-Based Management interface injects malicious JavaScript into the SNMP configuration page (persistent XSS). When an authorized user visits the SNMP configuration page, the malicious script executes in their browser with the privileges of that user, allowing the attacker to intercept credentials, modify PLC parameters, or perform actions on behalf of the user.
Prerequisites
- Network access to the WBM HTTP/HTTPS port on the target WAGO PLC (typically port 80 or 443)
- Ability to inject malicious data into the SNMP configuration page fields
- An authorized user must visit the SNMP configuration page for the injected script to execute
remotely exploitablerequires user interaction (authorized user must visit affected page)low attack complexitypersistent XSS can affect multiple users
Affected products (13)
13 with fix
ProductAffected VersionsFix Status
750-352≤ FW13FW14
750-362≤ FW03FW05
750-363≤ FW03FW05
750-823≤ FW03FW05
750-831/xxx-xxx≤ FW13FW14
750-832/xxx-xxx≤ FW03FW05
750-852≤ FW13FW14
750-862≤ FW03FW05
Remediation & Mitigation
0/5
Do now
0/1WORKAROUNDRestrict network access to the WBM management interface to only authorized engineering workstations using firewall rules or network segmentation
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
750-352
HOTFIXUpdate firmware on all affected WAGO 750-88X and 750-89X devices: update to FW14 for models 750-352, 750-831/xxx-xxx, 750-852, 750-880/xxx-xxx, 750-881, 750-889; update to FW05 for models 750-362, 750-363, 750-823, 750-832/xxx-xxx, 750-862, 750-890/0xx-xxx, 750-891
Long-term hardening
0/3HARDENINGDisable unnecessary TCP/UDP ports on the devices
HARDENINGEnforce strong, unique passwords for all device administrative accounts
HARDENINGDo not expose the WBM interface directly to the internet; keep devices on an isolated OT network or behind a firewall
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/8cab8269-2bbc-4abe-87b2-51ef3db10a8d