WAGO: Web-Based Management Authentication Vulnerability in WAGO 750-36X and WAGO 750-8XX

Plan Patch8.1VDE-2020-044Aug 31, 2021

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

The Web-Based Management (WBM) interface in WAGO 750-36X and 750-8XX PLCs allows attackers to read and write device parameters without authentication using specially crafted HTTP requests. The WBM service is typically used for administration, commissioning, and firmware updates. This is a separate vulnerability from advisory SAV-2020-014 / VDE-2020-028.

What this means

What could happen

An attacker with network access to the Web-Based Management interface can read and write device parameters without authentication, potentially allowing unauthorized configuration changes, credential theft, or control of PLC logic that governs manufacturing processes.

Who's at risk

Manufacturing facilities using WAGO 750-36X compact PLCs and WAGO 750-8XX modular PLC controllers for process automation, material handling, or other industrial control applications where the Web-Based Management interface is accessible from the network.

How it could be exploited

An attacker sends specially crafted HTTP requests to the WBM interface on ports 80 or 443. The vulnerability bypasses authentication checks, allowing the attacker to directly modify PLC parameters or extract sensitive configuration data without credentials.

Prerequisites

Network access to TCP ports 80 or 443 on the affected WAGO PLC
Web-Based Management (WBM) interface must be enabled and accessible

remotely exploitableno authentication requiredlow complexityaffects industrial control logichigh CVSS score (8.1)

Affected products (8)

8 with fix

ProductAffected VersionsFix Status

750-362≤ FW07FW08

750-363≤ FW07FW08

750-823≤ FW07FW08

750-832/xxx-xxx≤ FW07FW08

750-862≤ FW07FW08

750-890/xxx-xxx≤ FW07FW08

750-891≤ FW07FW08

750-893≤ FW07FW08

Remediation & Mitigation

0/5

Do now

0/1

WORKAROUNDRestrict network access to WBM ports 80/443 to trusted engineering networks only using firewall rules

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpdate firmware to FW08 or later on all affected WAGO 750-36X and 750-8XX PLC modules

HARDENINGDisable TCP/UDP ports on the PLC that are not required for operations

HARDENINGDisable the Web-Based Management service on ports 80/443 after completing configuration and commissioning

Long-term hardening

0/1

HARDENINGDo not expose WAGO PLCs directly to the internet; keep them on isolated control network segments

CVEs (1)

CVE-2021-34578

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/a6c56843-875b-41a2-8390-840816ca3e9a