WAGO: Command Injection Vulnerability in I/O-Check Service of multiple products

Act Now9.8VDE-2020-045Dec 17, 2020

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The vulnerability exists in the I/O-Check service of multiple WAGO controller models. The service fails to properly validate input in specially crafted network packets, allowing command injection. An attacker with network access can exploit this to execute arbitrary code on the device. The I/O-Check service is only required during installation and commissioning, not during normal operation. Vulnerability has been fixed in FW11 released December 2017.

What this means

What could happen

An attacker on your network can send specially crafted packets to the I/O-Check service to execute arbitrary code on WAGO controllers, potentially altering I/O logic, process outputs, or stopping operations entirely.

Who's at risk

Water and utility operators using WAGO 750-81xx, 750-82xx, 762-4xxx, 762-5xxx, or 762-6xxx controllers for process automation and I/O control should be concerned. These compact logic controllers commonly manage pump stations, valve control, filtration systems, and electrical distribution operations.

How it could be exploited

An attacker with network access to the controller identifies the I/O-Check service listening on the network. The attacker sends a malicious packet with injected commands to the service, which executes the commands without proper input validation. The attacker gains code execution on the device.

Prerequisites

Network access to WAGO controller on default I/O-Check service port
Device running firmware FW10 or older
I/O-Check service enabled on the device

remotely exploitableno authentication requiredlow complexityaffects safety systemshigh EPSS score

Affected products (5)

5 with fix

ProductAffected VersionsFix Status

750-81xx/xxx-xxx≤ FW10FW11

750-82xx/xxx-xxx≤ FW10FW11

762-4xxx≤ FW10FW11

762-5xxx≤ FW10FW11

762-6xxx≤ FW10FW11

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDDisable the I/O-Check service on all WAGO controllers after commissioning is complete

WORKAROUNDRestrict network access to WAGO controllers using firewall rules; block all untrusted inbound connections

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

762-4xxx

HOTFIXUpdate all WAGO 750-81xx, 750-82xx, 762-4xxx, 762-5xxx, and 762-6xxx controllers to firmware FW11 or later

Long-term hardening

0/1

HARDENINGIsolate WAGO controllers from direct internet connectivity; connect only through your plant network

CVEs (1)

CVE-2020-12522

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/2c5877ec-0c73-4cf5-b5ab-66bad379eecc