WAGO: Multiple Vulnerabilities in I/O-Check Service

Act Now9.8VDE-2020-036Jun 29, 2021

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple buffer overflow and memory corruption vulnerabilities (CWE-787, CWE-120, CWE-125, CWE-770) exist in the WAGO I/O-Check Service across Touch Panel 600, Edge Controller, PFC200, and PFC100 devices running firmware FW18Patch2 and earlier. The I/O-Check service is used only during installation and commissioning. Successful exploitation allows an attacker to execute arbitrary code and gain full control of the affected device.

What this means

What could happen

An attacker with network access to a WAGO controller can execute arbitrary code and take full control of the device, potentially disrupting water treatment, electric distribution, or other critical automation processes.

Who's at risk

Water and electric utilities using WAGO Touch Panel 600, Edge Controller, PFC200, or PFC100 controllers for process automation. This affects any facility relying on these devices for SCADA or local automation logic.

How it could be exploited

An attacker sends specially crafted packets to the I/O-Check service (typically port 502 or similar) to trigger buffer overflow or memory corruption vulnerabilities in the service. This allows the attacker to run arbitrary code with the privileges of the service, gaining control of the PLC's configuration and operation.

Prerequisites

Network access to the I/O-Check service port on the WAGO device
I/O-Check service enabled (default or left running after commissioning)

Remotely exploitableNo authentication requiredLow complexity attackHigh CVSS score (9.8)Buffer overflow vulnerabilitiesAffects industrial automation devices

Affected products (4)

4 with fix

ProductAffected VersionsFix Status

Hardware Touch Panel 600≤ FW18Patch2FW18Patch3

Hardware Edge Controller≤ FW18Patch2FW18Patch3

Hardware PFC200≤ FW18Patch2FW18Patch3

Hardware PFC 100≤ FW18Patch2FW18Patch3

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDDisable the I/O-Check service on all WAGO Touch Panel 600, Edge Controller, PFC200, and PFC100 devices immediately after commissioning is complete

HARDENINGRestrict network access to WAGO controllers at the firewall; block inbound connections to the I/O-Check service port from untrusted networks

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate all affected WAGO devices to firmware version FW18Patch3 or later

Long-term hardening

0/1

HARDENINGEnsure WAGO controllers are not directly connected to the internet; place them on an isolated industrial network

CVEs (4)

CVE-2021-34569 CVE-2021-34566 CVE-2021-34567 CVE-2021-34568

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/54be7039-6805-4668-9365-cd8647bf3299