WAGO: Multiple Products affected by Linux Kernel Vulnerability Dirty Pipe

Act Now7.8VDE-2022-009Apr 6, 2022

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

The Linux kernel versions 5.8 and later contain a flaw that allows local users to write to arbitrary kernel memory, resulting in privilege escalation. WAGO PFC100, PFC200, Compact Controller CC100, Touch Panel 600, and Edge Controller devices incorporate this vulnerable kernel. Successful exploitation grants root-level access, allowing an attacker to modify control logic and process parameters on affected PLCs. Some product lines have no planned fix; others are patched in newer firmware versions.

What this means

What could happen

A local user with valid access to a WAGO PLC or controller can exploit a Linux kernel flaw to gain elevated privileges and potentially alter control logic, process parameters, or halt operations on manufacturing equipment.

Who's at risk

Manufacturing facilities using WAGO programmable logic controllers (PLCs) and controllers: PFC100/PFC200 series (750-81xx, 750-8217, 750-82xx, 751-9301), Touch Panel 600 series (762-4xxx, 762-5xxx, 762-6xxx), Edge Controller (752-8303), and Compact Controller CC100. This affects production automation, process control, and machinery that depend on these controllers.

How it could be exploited

An attacker with local access to the device (e.g., via SSH or physical console with valid credentials) can write to arbitrary memory locations in the Linux kernel, escalating their privileges to root level. With root access, they can modify PLC logic, change setpoints, disable safety interlocks, or stop production processes.

Prerequisites

Local access to the device (SSH, Ethernet, or physical console)
Valid user account credentials on the PLC
Device running affected Linux kernel version (5.8 or later)

actively exploited (KEV)remotely exploitable via local networklow complexity attackaffects safety systems (PLCs control industrial processes)no patch available for 750-81xx and 750-82xx older firmware versionshigh CVSS score (7.8)authentication required but users may have weak credentials

Exploitability

Actively exploited — confirmed by CISA KEV

Affected products (11)

11 with fix

ProductAffected VersionsFix Status

750-8217/xxx-xxx03.07.14(19)≤ 03.07.18(19)03.09.05(21)

750-8217/xxx-xxx03.08.07(20)≤ 03.08.08(20)03.09.05(21)

751-930103.08.07(20)≤ 03.08.08(20)03.09.04(21)

752-8303/8000-00203.07.14(19)≤ 03.07.18(19)03.07.19(19)

762-4xxx03.07.14(19)≤ 03.07.18(19)03.07.19(19)

762-5xxx03.07.14(19)≤ 03.07.18(19)03.07.19(19)

762-6xxx03.07.14(19)≤ 03.07.18(19)03.07.19(19)

750-81xx/xxx-xxx03.07.14(19)≤ 03.07.18(19)03.09.04(21)

Remediation & Mitigation

0/7

Do now

0/7

752-8303/8000-002

HOTFIXUpdate firmware on WAGO Touch Panel 600 and Edge Controller products (762-4xxx, 762-5xxx, 762-6xxx, 752-8303/8000-002) to version 03.07.19(19) or later

751-9301

HOTFIXUpdate WAGO 751-9301 firmware to version 03.09.04(21) or later

All products

HOTFIXUpdate firmware on WAGO PFC100/PFC200 controllers (750-81xx, 750-8217, 750-82xx) to version 03.09.04(21) or later

WORKAROUNDRestrict network access to WAGO PLCs using firewall rules; block all inbound SSH and telnet traffic from untrusted networks

HARDENINGDisable unused TCP/UDP ports on affected PLCs

HARDENINGEnforce strong, unique passwords on all user accounts and disable default credentials

HARDENINGDo not directly connect WAGO PLCs to the internet; isolate them on a protected industrial network segment

CVEs (1)

CVE-2022-0847

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/4032fb06-d6ba-40d3-8b8a-5e9d4c4ba054