WAGO: Multiple product series affected by multiple CODESYS vulnerabilities

Plan PatchCVSS 9.8VDE-2022-035Aug 17, 2022

CODESYSWAGO

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple WAGO product families (CC100, EC300, PFC 100, PFC 200, TP600) contain multiple critical vulnerabilities in the CODESYS control runtime system. The vulnerabilities include buffer overflow (CWE-787), missing input validation (CWE-20), null pointer dereference (CWE-476), and improper access control (CWE-345). An unauthenticated attacker with network access can exploit these flaws to execute arbitrary code on affected controllers without user interaction or credentials, potentially gaining complete control over control system functions.

What this means

What could happen

Multiple vulnerabilities in WAGO controllers running CODESYS allow an unauthenticated attacker on the network to execute arbitrary code, potentially altering process logic, stopping production lines, or corrupting control system data without any credentials or user interaction.

Who's at risk

Water utilities and municipal electric distribution operators using WAGO PFC 100, PFC 200, TP600, or CC100 controllers in SCADA/automation systems. Any facility relying on these controllers for real-time process control, pump operation, valve actuation, or power distribution logic is affected.

How it could be exploited

An attacker on the network sends a specially crafted network packet to the affected WAGO controller. The CODESYS runtime processes the malformed input due to buffer overflow (CWE-787) or missing input validation (CWE-20), allowing the attacker to write arbitrary code to memory. The attacker then executes commands on the controller to manipulate control logic or halt operations.

Prerequisites

Network access to the WAGO controller on the port where CODESYS runtime listens (typically port 11740 or web interface ports)
No authentication required
Controller must be running vulnerable firmware version

remotely exploitableno authentication requiredlow complexityhigh CVSS (9.8)high EPSS scoreno patch available for CC100 and EC300 as of advisory dateaffects industrial automation and critical infrastructure

Exploitability

Unlikely to be exploited — EPSS score 0.9%

Affected products (5)

4 with fix1 EOL

ProductAffected VersionsFix Status

PFC 200≤ 03.09.05(21)03.10.08(22)

TP600≤ 03.07.14(19)03.10.09(22)

CC100≤ 03.09.07(21)03.10.09(22)

EC300≤ 03.07.14(19)No fix (EOL)

PFC 100≤ 03.09.05(21)03.10.08(22)

Remediation & Mitigation

0/6

Do now

0/3

WORKAROUNDImplement firewall rules to restrict network access to CODESYS runtime ports (port 11740 and web interface) to only authorized engineering workstations and management networks

HARDENINGDisable remote access to controllers unless absolutely required; if remote access is needed, use VPN tunnels with encryption

HARDENINGEnable and enforce user authentication and strong passwords on all CODESYS projects and controller access

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

PFC 200

HOTFIXUpdate PFC 100 and PFC 200 controllers to firmware version 03.10.08(22) or later

TP600

HOTFIXUpdate TP600 and CC100 controllers to firmware version 03.10.09(22) or later

Mitigations - no patch available

0/1

EC300 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGImplement network segmentation to isolate control system networks from corporate networks and the internet

CVEs (6)

CVE-2021-36763 CVE-2021-33485 CVE-2021-36765 CVE-2020-6081 CVE-2021-29241 CVE-2021-29242

View full CERT@VDE advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/af86b04a-0b95-473d-ba97-ec0e1702e159

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.