WAGO: XSS vulnerability in Web-UI in WAGO 750-88X and WAGO 750-89X

MonitorCVSS 6.1VDE-2020-029Sep 30, 2020

WAGOManufacturing

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

The Web-Based Management (WBM) interface on WAGO 750-88X and 750-89X series PLCs contains a persistent cross-site scripting (XSS) vulnerability in the SNMP configuration page. An attacker can inject malicious JavaScript that executes when authorized users access the SNMP settings, potentially enabling credential theft, unauthorized device configuration changes, or execution of control commands. The vulnerability affects models 750-352, 750-362, 750-363, 750-823, 750-831, 750-832, 750-852, 750-862, 750-880, 750-881, 750-889, 750-890, and 750-891.

What this means

What could happen

An attacker could inject malicious code into the SNMP configuration page that executes when an authorized user accesses the web interface, potentially allowing the attacker to steal credentials, modify device settings, or trigger unauthorized control actions on the PLC.

Who's at risk

Manufacturing facilities and utilities operating WAGO 750-88X and 750-89X series PLCs should be concerned. These compact PLCs are commonly used in process control, automation, and building management applications. Any facility that relies on these controllers for production processes or critical operations should prioritize firmware updates.

How it could be exploited

An attacker with network access to the device's Web-Based Management interface injects malicious JavaScript into the SNMP configuration page (persistent XSS). When an authorized user visits the SNMP configuration page, the malicious script executes in their browser with the privileges of that user, allowing the attacker to intercept credentials, modify PLC parameters, or perform actions on behalf of the user.

Prerequisites

Network access to the WBM HTTP/HTTPS port on the target WAGO PLC (typically port 80 or 443)
Ability to inject malicious data into the SNMP configuration page fields
An authorized user must visit the SNMP configuration page for the injected script to execute

remotely exploitablerequires user interaction (authorized user must visit affected page)low attack complexitypersistent XSS can affect multiple users

Exploitability

Unlikely to be exploited — EPSS score 0.3%

Affected products (13)

13 with fix

ProductAffected VersionsFix Status

750-352≤ FW13FW14

750-362≤ FW03FW05

750-363≤ FW03FW05

750-823≤ FW03FW05

750-831/xxx-xxx≤ FW13FW14

750-832/xxx-xxx≤ FW03FW05

750-852≤ FW13FW14

750-862≤ FW03FW05

Remediation & Mitigation

0/5

Do now

0/1

WORKAROUNDRestrict network access to the WBM management interface to only authorized engineering workstations using firewall rules or network segmentation

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

750-352

HOTFIXUpdate firmware on all affected WAGO 750-88X and 750-89X devices: update to FW14 for models 750-352, 750-831/xxx-xxx, 750-852, 750-880/xxx-xxx, 750-881, 750-889; update to FW05 for models 750-362, 750-363, 750-823, 750-832/xxx-xxx, 750-862, 750-890/0xx-xxx, 750-891

Long-term hardening

0/3

HARDENINGDisable unnecessary TCP/UDP ports on the devices

HARDENINGEnforce strong, unique passwords for all device administrative accounts

HARDENINGDo not expose the WBM interface directly to the internet; keep devices on an isolated OT network or behind a firewall

CVEs (1)

CVE-2018-16210

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/8cab8269-2bbc-4abe-87b2-51ef3db10a8d

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.