WAGO: Multiple Vulnerabilities in the Web-Based Management Interface

Plan PatchCVSS 9.8VDE-2021-013May 5, 2021

Phoenix ContactWAGOManufacturing

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple vulnerabilities in WAGO industrial managed switches Web-Based Management (WBM) interface allow an attacker with access to the device to install malware, access password hashes, and create administrative user accounts. Affected are models 0852-0303, 0852-1305, 0852-1505 and their variants across multiple firmware versions. Vulnerabilities include missing authentication controls, insecure password storage, cleartext transmission, and cross-site scripting. The WBM is typically used for administration and commissioning only and is not needed during normal operations.

What this means

What could happen

An attacker with network access to an affected switch could obtain administrative credentials, install malware, or modify switch configuration, potentially disrupting network communications for critical industrial processes including production lines and safety systems.

Who's at risk

Manufacturing facilities operating WAGO industrial managed switches (models 0852-0303, 0852-1305, 0852-1505) used for Ethernet network management and commissioning. This affects the management and monitoring capabilities of production network infrastructure, potentially impacting connected process control devices, safety systems, and plant-wide communications.

How it could be exploited

An attacker reaches the WBM interface via HTTP on the switch's network port, exploiting missing authentication or weak credential controls to access the admin panel. Once authenticated or bypassing authentication, the attacker can extract password hashes, create new admin accounts, or inject malicious code through the WBM interface.

Prerequisites

Network access to the WBM HTTP service on the switch (typically port 80)
Physical or logical network connectivity to the switch's management interface
Device must be accessible from the attacker's network segment (no air-gap isolation)

Remotely exploitableNo authentication requiredLow complexityHigh CVSS (9.8)Affects industrial network infrastructureNo fix available for some hardware versions

Exploitability

Unlikely to be exploited — EPSS score 0.4%

Affected products (6)

6 with fix

ProductAffected VersionsFix Status

0852-1305≤ V1.1.7.S0V1.1.8.S0

0852-1305/000-001≤ V1.0.4.S0V1.1.4.S0

0852-1505≤ V1.1.6.S0V1.1.8.S0

0852-1505/000-001≤ V1.0.4.S0V1.1.4.S0

Hardware 0852-0303 (HW<3)*≤ V1.2.3.S0V1.2.5.S0

Hardware 0852-0303 (HW>=3)*≤ V1.2.3.S0V1.2.3.S1

Remediation & Mitigation

0/5

Do now

0/3

WORKAROUNDDisable the web server on the switch after commissioning is complete

HARDENINGRestrict network access to the switch's management interface using firewall rules—allow only authorized engineering workstations and management systems

HARDENINGDo not connect the switch directly to the internet or untrusted networks

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

0852-1305

HOTFIXUpdate to the patched firmware version: 0852-0303 (HW<3) to V1.2.5.S0, 0852-0303 (HW>=3) to V1.2.3.S1, 0852-1305 to V1.1.8.S0, 0852-1505 to V1.1.7.S0, 0852-1305/000-001 and 0852-1505/000-001 to V1.1.4.S0

All products

WORKAROUNDUse the CLI interface instead of the web-based management for device administration

CVEs (6)

CVE-2021-20998 CVE-2021-20995 CVE-2021-20997 CVE-2021-20994 CVE-2021-20993 CVE-2021-20996

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/15e05f8b-a60b-4f05-816a-486c6eaae254

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.