WAGO: Web-Based Management Cross-Site Scripting

Monitor5.4VDE-2022-004Mar 9, 2022

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionRequired

Summary

WAGO's Web-Based Management (WBM) interface, used for administration and commissioning of PLCs, contains reflected cross-site scripting (XSS) vulnerabilities in various configuration pages. An attacker with network access to the WBM interface can inject malicious code that executes in the context of logged-in users' browsers, potentially allowing unauthorized changes to device configuration or theft of administrative credentials. Affected devices include Compact Controller 100, Edge Controller, PFC100, PFC200, and Touch Panel 600 series (all firmware versions FW16 through FW21). WAGO announced that a firmware update will be available at the end of Q2 2022 to address this issue.

What this means

What could happen

An attacker with access to your WAGO PLC's web management interface can inject malicious code that tricks authorized users into executing commands or revealing credentials, potentially compromising control of the device or engineering workstations connected to it.

Who's at risk

Manufacturing plants and utilities using WAGO PLCs for process control should care about this issue. Affected devices include Compact Controllers, Edge Controllers, PFC series (industrial process controllers), and Touch Panel 600 series (operator interfaces). This impacts anyone using WAGO devices for production control, monitoring, or safety functions.

How it could be exploited

An attacker sends a crafted URL containing malicious code to a user with access to the WAGO web management interface. When the user clicks the link, the code executes in their browser with their privileges, allowing the attacker to steal credentials or manipulate device configuration without direct authentication.

Prerequisites

- Network access to the web management interface (HTTP/HTTPS port) - Valid credentials for a user account on the device - User must click a malicious link while logged into the web interface - User's browser must not have sufficient protections against XSS attacks

- Remotely exploitable - Requires valid user credentials and user interaction - No vendor patch currently available - Affects industrial controllers used in manufacturing and process control - Low to medium CVSS score but affects administrative interfaces to critical devices

Affected products (7)

7 with fix

ProductAffected VersionsFix Status

Compact Controller 100FW16<FW22FW22 or later

Edge ControllerFW16<FW22FW22 or later

Series PFC100FW16<FW22FW22 or later

Series PFC200FW16<FW22FW22 or later

Series Touch Panel 600 Advanced LineFW16<FW22FW22 or later

Series Touch Panel 600 Marine LineFW16<FW22FW22 or later

Series Touch Panel 600 Standard LineFW16<FW22FW22 or later

Remediation & Mitigation

0/5

Do now

0/3

HARDENINGRestrict network access to the Web-Based Management interface using a firewall rule—only permit connections from authorized engineering workstations and management networks, block external access

HARDENINGDo not connect the WAGO device directly to the internet

HARDENINGEnforce strong, unique passwords for all user accounts on the WAGO device

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

WORKAROUNDDisable all unused TCP/UDP ports on the WAGO device

HOTFIXPlan to update to firmware FW22 or later when WAGO releases the fixed version (expected end of Q2 2022), then apply during a maintenance window

CVEs (1)

CVE-2022-22511

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/126eb6e4-f287-4e3a-aa11-001d6cb17a91